b'                                   EVALUATION\n\n\n\n\nFY 2010 FISMA\nEVALUATION REPORT\n\n\n\n\nReport No.: ISD-EV-MOA-0001-2010   November 2010\n\x0cTable of Contents\nResults in Brief ....................................................................................................... 1\n\nIntroduction ............................................................................................................. 3\n   Objective ............................................................................................................. 3\n   Background ......................................................................................................... 3\n\nFindings................................................................................................................... 5\n   IT Inventory......................................................................................................... 5\n   Certification and Accreditation ......................................................................... 10\n   Security Configuration Management ................................................................ 16\n   Incident Response and Reporting ...................................................................... 20\n   Security Training ............................................................................................... 23\n   Plan of Action and Milestones .......................................................................... 29\n   Remote Access .................................................................................................. 32\n   Account and Identity Management ................................................................... 35\n   Continuous Monitoring ..................................................................................... 39\n   Contingency Planning ....................................................................................... 43\n   Oversight of Contractor Systems ...................................................................... 45\n\nConclusion and Recommendations ....................................................................... 48\n   Conclusion......................................................................................................... 48\n   Recommendation Summary .............................................................................. 48\n\nAppendix 1: Scope and Methodology................................................................... 51\n   Scope ................................................................................................................. 51\n   Methodology ..................................................................................................... 52\n\nAppendix 2: Summary of FISMA Results (FY 2003 to 2010) ............................. 53\n\nAppendix 3: Related OIG Reports, Management Advisories, and Evaluations ... 56\n\x0cResults in Brief\nOur fiscal year (FY) 2010 FISMA Evaluation Report reveals major\ninconsistencies in the U.S. Department of the Interior\xe2\x80\x99s (DOI) Information\nTechnology (IT) security program. These inconsistencies are a reflection of DOI\xe2\x80\x99s\ndecentralized approach to governing IT security. Each bureau manages its own\nsecurity program, as the Department Chief Information Officer does not have the\nauthority to unify and align the Department\xe2\x80\x99s IT security program.\n\nWe found several DOI systems missing or not clearly identified in inventory\ndatabases, and that potentially helpful investments were sitting idle on shelves.\nWe also identified key program areas that are not consistently implemented, such\nas incident response, configuration management, and remote access.\n\n   \xe2\x80\xa2   Our unannounced tests of DOI\xe2\x80\x99s incident response capabilities revealed\n       that social engineering gained us network access and access to sensitive\n       information following requests to reset the passwords of key personnel.\n       We found that these potential security breaches occur without being\n       identified and fragmented reporting processes enable these events to\n       continue.\n   \xe2\x80\xa2   Our testing revealed that bureaus have installed multiple Web browsers\n       that are not compliant with the Federal Desktop Core Configuration\n       standards.\n   \xe2\x80\xa2   We determined that DOI bureaus continue to use multiple remote access\n       solutions to which the Department has no insight. We identified one of\n       these remote solutions, which the Department did not know that the\n       bureau had implemented. The bureau was forced to shut it down until it\n       could be formally documented and risks assessed.\n\nWe found that the information that authorizing officials use as the basis for their\noperating decisions is incomplete and inaccurate. This information, which comes\nto them in a package containing the system security plan, security assessment\nreports, and plans of action and milestones, should be complete enough for an\nauthorizing official to assess the risks of operating a system. More than half the\npackages we found were incomplete or lacked the necessary quality to provide\nauthorizing officials with an accurate view of the system security posture. This\ninadequacy presents further challenges for the Department as it prepares to meet\nnew National Institute of Standards and Technology requirements to move this\nprocess toward ongoing security authorizations.\n\nWe also found promising programs in DOI\xe2\x80\x99s IT security. One such program\nrequires that all DOI employees and contractors use a personal identity\nverification card to log into the network. This will significantly increase network\nand remote access security. To date, 76 percent of employees and 23 percent of\ncontractors are enrolled.\n\n                                                                                      1\n\x0cAlso, the Department launched the DOI Innovation and Efficiency Team (DIET)\nInitiatives in June 2010. Although DIET is still in the planning stages, this\ninitiative promises to provide long-term solutions to cost efficiency.\n\n\n\n\n                                                                                2\n\x0cIntroduction\nIncreased cyber threats have resulted in the establishment of security standards\nmeant to unify the Federal Information Security Management Act (FISMA)\nframework for the Federal Government.\n\nFiscal year (FY) 2010 has seen the greatest changes to FISMA requirements since\nits inception in 2002. The U.S. Department of the Interior (DOI or Department)\nhave not managed to keep pace. Weaknesses in fundamental areas of the\nDepartment\xe2\x80\x99s Information Technology (IT) security program remain unresolved.\n\nObjective\nThis report summarizes the results of our FY 2010 FISMA Evaluation of the\nDepartment\xe2\x80\x99s IT security program. We evaluated DOI\xe2\x80\x99s compliance with the\nrequirements of the Federal Information Security Management Act and related\ninformation security policies, procedures, standards, and guidelines. This report\nalso contains recommendations to enhance DOI\xe2\x80\x99s information security program\nand move toward full FISMA compliance.\n\nBackground\nCongress enacted Title III of the E-Government Act of 2002, Federal Information\nSecurity Management Act, in response to concerns about the security of Federal\ninformation and IT systems. FISMA\xe2\x80\x99s primary intent was to facilitate progress in\ncorrecting agency information security deficiencies and improve oversight of\nFederal information security programs. FISMA \xc2\xa7 3545(a) requires the Office of\nInspector General (OIG) to perform an annual evaluation of the Department\xe2\x80\x99s\ninformation security program and practices.\n\nFISMA also requires the Secretary of Commerce to prescribe compulsory,\nbinding standards and guidelines pertaining to Federal information systems. As a\ncomponent of the Department of Commerce, the National Institute of Standards\nand Technology (NIST) is required to develop Federal Information Processing\nStandards, which define the minimum requirements for information security and\nsystem security categorizations. NIST is responsible for developing information\nsecurity standards and guidelines, including minimum requirements for Federal\ninformation systems. NIST introduced two publications in the last year that have\nsignificantly changed Federal agency information security programs. The revised\nguidance includes:\n\n   \xe2\x80\xa2   NIST Special Publication 800-37, Revision 1, \xe2\x80\x9cGuide for Applying the\n       Risk Management Framework to Federal Information Systems;\xe2\x80\x9d and\n   \xe2\x80\xa2   NIST Special Publication 800-53, Revision 3, \xe2\x80\x9cRecommended Security\n       Controls for Federal Information Systems and Organizations.\xe2\x80\x9d\n\n\n\n                                                                                    3\n\x0cThese publications updated IT security controls to address cyber threats,\nemphasize IT risk management and continuous monitoring, and recognize that\nauthorizing officials need to have access to near real-time monitoring.\nCompliance with FISMA is no longer dependent upon a stagnant certification and\naccreditation package, rather the requirements have moved toward ongoing\ninformation system authorizations.\n\nThe Office of Management and Budget (OMB) must report annually to Congress\non all Federal agencies\xe2\x80\x99 FISMA compliance. OMB used CyberScope as the\nautomated FISMA data collection instrument for reporting on agency compliance.\nCyberScope contained 11 areas for OIG input in FY 2010:\n\n   \xe2\x80\xa2   Certification and Accreditation Program;\n   \xe2\x80\xa2   Status of Security Configuration Management;\n   \xe2\x80\xa2   Status of Incident Response and Reporting Program;\n   \xe2\x80\xa2   Status of Security Training Program;\n   \xe2\x80\xa2   Status of Plans of Action and Milestones Program;\n   \xe2\x80\xa2   Status of Remote Access Program;\n   \xe2\x80\xa2   Status of Account and Identity Management Program;\n   \xe2\x80\xa2   Status of Continuous Monitoring Program;\n   \xe2\x80\xa2   Status of Contingency Planning Program;\n   \xe2\x80\xa2   Status of Agency Program to Oversee Contractor Systems; and\n   \xe2\x80\xa2   Financial Audit.\n\nEnterprise Initiative\nThe Department launched the DOI Innovation and Efficiency Team (DIET)\nInitiatives in June 2010 \xe2\x80\x9cto identify and implement immediate and long-term\nsolutions to realize cost savings, cost avoidance, cost efficiencies and/or\ninnovations across the DOI IT environment.\xe2\x80\x9d DIET, which is still in the planning\nphase, includes objectives and projects that, once implemented, promise to\ncontribute to the IT Security Program.\n\nThe DIET Initiatives include:\n\n   \xe2\x80\xa2   Infrastructure consolidation (of facilities, telecom, servers and storage,\n       applications and data, and IT asset inventory);\n   \xe2\x80\xa2   Data center consolidation;\n   \xe2\x80\xa2   Unified messaging;\n   \xe2\x80\xa2   Risk-based Information Security Services;\n   \xe2\x80\xa2   Radio site consolidation; and\n   \xe2\x80\xa2   Workstation ratio reduction.\n\n\n\n\n                                                                                    4\n\x0cFindings\nThe findings in this evaluation are organized by the 11 Information Technology\n(IT) security program areas: IT inventory, certification and accreditation, security\nconfiguration management, incident response and reporting, security training,\nplans of action and milestones, remote access, account and identity management,\ncontinuous monitoring, contingency planning, and oversight of contractor\nsystems.\n\nWe also include all relevant policies, guidance, requirements, regulations, or\ndefinitions and answer whether or not the Department\xe2\x80\x99s bureaus follow that\nexisting guidance.\n\nIT Inventory\nPolicy\nThe U.S. Department of the Interior (DOI or Department) has established a policy\nfor maintaining IT inventory, but confusion over the policy has impacted its\naccuracy. Managing the DOI IT infrastructure is dependent upon an accurate\ninventory and provides a foundation for an effective IT security program and\nFISMA compliance.\n\nThe March 2008 DOI IT Security Policy Handbook (Version 3.1), requires\nbureaus to \xe2\x80\x9ctrack all IT system components and security status by maintaining a\ncomprehensive inventory in the DOI Enterprise Architecture Repository\n(DEAR).\xe2\x80\x9d The Chief Information Officer (CIO) issued a directive 1 establishing\nDEAR \xe2\x80\x9cas the official data source for DOI enterprise architecture artifacts, [and]\nall DOI information systems.\xe2\x80\x9d The directive also states that the bureau CIOs are\nresponsible for annual written assurance that data in DEAR is accurate and\ncomplete.\n\nDOI also implemented the Cyber Security Assessment Management (CSAM)\nsolution, which identifies IT system inventory. Its primary purpose, however, is to\nbe the official repository for preserving Certification & Accreditation (C&A)\nPackage documentation, Plans of Action and Milestones (POAM), and Internal\nControl Reviews for each system in inventory. A September 23, 2008\nDepartmental memorandum, titled \xe2\x80\x9cMandatory Use of the Cyber Security\nAssessment Management (CSAM) Solution\xe2\x80\x9d and signed by the Acting\nDepartment CIO, specifies mandatory use and full implementation of the CSAM\nsolution.\n\nOn April 27, 2009, we issued a management advisory, \xe2\x80\x9cDeficiencies in System\nInventory Management,\xe2\x80\x9d which states that disparities exist between DEAR\ninventory and the inventory documented in C&A packages. The Department CIO\n\n1\n Office of the Chief Information Officer Directive No. 2009-002, \xe2\x80\x9cPopulation and Maintenance of the\nDepartmental Enterprise Architecture Repository,\xe2\x80\x9d February 6, 2009.\n\n                                                                                                      5\n\x0cresponded to the management advisory on July 9, 2009, stating corrective action\nwas taken for the discrepancies. The Department also stated that it had \xe2\x80\x9cinitiated a\nmore robust data harmonization effort.\xe2\x80\x9d We determined corrective actions were\nnot focused on the systemic process weakness. We identified similar issues in FY\n2010.\n\nOur review identified that inaccurate and incomplete system inventory is\nunreliable for identifying accreditation boundaries. We also found that bureau\nCIOs are not certifying inventory as policy requires.\n\nSystem Inventory\nDOI has not established clear procedures to consistently manage its IT inventory,\nwhich results in confusion among bureaus as to which system is used for\nmaintaining inventory.\n\nDuring our fieldwork, three bureaus stated that CSAM is the most accurate source\nof inventory information, but the Department has documented and confirmed that\nDEAR is the primary system for maintaining IT inventory. Despite weekly data\nfeeds from CSAM to DEAR, the two systems are not reflective of each other and\nthey maintain different data elements.\n\nNational Institute of Standards and Technology (NIST) Special Publication 800-\n37 defines an accreditation boundary 2 as \xe2\x80\x9call components of an information\nsystem to be accredited by an authorizing official.\xe2\x80\x9d DEAR is used to maintain the\nDepartment\xe2\x80\x99s accredited IT system inventory and component parts, but bureaus\nmaintain the inventory of component parts inconsistently. DEAR does not present\nan accurate view of the accreditation boundary and the components, accounting\nfor 253 3 accredited systems (which include placeholders for pending and\nunmatched), while CSAM reflects 270. The component under each accredited\nsystem is not identified in inventory.\n\nThe bureaus use a wide, and often confusing, array of terms related to inventory\nmanagement. The Department also has no organization-wide agreement for the\ndefinition of \xe2\x80\x9csystems,\xe2\x80\x9d and bureaus use inconsistent criteria when determining\nhow all identifiers are used to manage IT inventory.\n\nSample of Systems reveal Inventory Discrepancies\nInventory entries into DEAR and CSAM are neither complete nor managed\nconsistently across the Department. Our sample of systems showed:\n\n    \xe2\x80\xa2    Inconsistent identification of inventory\n            o The Talent Management System was not included in DEAR\n                inventory and was only entered in CSAM as a minor application\n\n2\n  NIST Special Publication 800-37, Revision 1, states that the term \xe2\x80\x9caccreditation boundary\xe2\x80\x9d is synonymous\nwith \xe2\x80\x9cinformation system boundary\xe2\x80\x9d and \xe2\x80\x9cauthorization boundary.\xe2\x80\x9d\n3\n  Based on the \xe2\x80\x9cDEAR Certification & Accreditation Boundaries-All C&A Detail\xe2\x80\x9d July 13, 2010 report.\n\n                                                                                                             6\n\x0c              with the Human Resource Management Suite accreditation\n              boundary following our request for documentation. This is not the\n              National Business Center\xe2\x80\x99s (NBC) normal process. The Talent\n              Management System is now the only minor application in NBC\xe2\x80\x99s\n              system inventory in CSAM;\n           o DOI has consistently failed to include development systems, such\n              as the Incident Management Analysis and Reporting System,\n              which has been in development since 2004, in inventory. It was\n              added into DEAR and CSAM only after we included this system in\n              our sample;\n           o The Radio Program General Support System is not in DEAR or\n              CSAM inventory; and\n           o The Project Portfolio System is not in DEAR or CSAM inventory.\n   \xe2\x80\xa2   Incomplete inventory\n           o The National Park Service General Support System (OneGSS) has\n              significant minor applications, such as the Concession\n              Management System, which is not identified with its accreditation\n              boundary in DEAR inventory;\n           o The Native American Student Information System does not have\n              any components associated with the system in DEAR inventory,\n              yet a contractor operates a portion of the system;\n           o The National Conservation Training Center Local Area Network does\n              not have any minor applications, yet a contractor operates an\n              associated property management system; and\n           o The Science and Support System-Low (S&SS-Low) was one of the\n              systems receiving minor applications from two retired U.S.\n              Geological Service (USGS) systems, yet the minor applications are\n              not identifiable in DEAR or CSAM inventory and associated with\n              S&SS Low.\n   \xe2\x80\xa2   Sites with no minor applications\n           o The Bureau of Land Management (BLM) General Support System\n              (GSS) state, district, and local offices are in DEAR and CSAM\n              inventory with no minor applications; and\n           o NPS OneGSS parks, offices, and centers are in CSAM inventory\n              with no minor applications.\n   \xe2\x80\xa2   Minor applications with no sites\n           o Office of Surface Mining (OSM) GSS minor applications are in\n              DEAR and CSAM inventory and the security documentation\n              agrees; and\n           o Office of the Special Trustee (OST) NET minor applications are in\n              CSAM inventory, but the security documentation does not agree\n              with inventory.\n\nInaccurate Inventory used for Management Decisions\nManagement decisions based on incomplete and inaccurate inventory introduce\nrisks to the IT security program. It is not prudent for an authorizing official to\n\n                                                                                     7\n\x0coperate a system and assume the risk without a clear understanding and accurate\ndocumentation of all components included in the accreditation boundary.\nFurthermore, each year the bureau CIOs are required to certify that their bureau\xe2\x80\x99s\nDEAR database \xe2\x80\x94 an inventory system that is not consistently managed and\ndocumented \xe2\x80\x94 is accurate and complete. In FY 2010, five bureau CIOs\ncompleted DEAR certifications, including U.S. Fish and Wildlife Service (FWS),\nMinerals Management Service (MMS), NBC, NPS, and Office of Historical Trust\nAccounting (OHTA). We reviewed the completeness of DEAR inventory for the\nfive bureaus that completed the CIO certification and determined only the MMS\nsystem, is in fact accurate and complete.\n\nAccreditation Boundaries\nAn accreditation boundary identifies the information resources covered by the\nauthorization decision. NIST Special Publication 800-37, Revision 1, changes the\nterm \xe2\x80\x9caccreditation boundary\xe2\x80\x9d to \xe2\x80\x9cauthorization boundary\xe2\x80\x9d or \xe2\x80\x9cinformation\nsystem boundary.\xe2\x80\x9d The authorization boundary is \xe2\x80\x9cthe set of information\nresources allocated to an information system\xe2\x80\x9d and \xe2\x80\x9cwell defined boundaries\nestablish the scope of protection for organizational information systems.\xe2\x80\x9d\n\nAuthorization boundaries are poorly defined and documented throughout much of\nthe Department. Errors and omissions in the DEAR system inventory amplify\nboundary discrepancies and vague definitions. DEAR, CSAM, and the\nauthorization package do not provide an accurate view of system authorization\nboundaries. Authorizing officials make decisions to operate systems based on the\nboundary described in the authorization package and in DEAR inventory. The\nrisks associated with the system are not identifiable if boundaries are not\naccurately identified.\n\nContractor Systems\nDOI guidance is unclear as to when IT systems or subsystems should be identified\nas a contractor system in inventory. NIST Special Publication 800-37, Revision 1,\ndefines a Federal information system as \xe2\x80\x9can information system used or operated\nby an executive agency, by a contractor of an executive agency, or by another\norganization on behalf of an executive agency.\xe2\x80\x9d Contractor systems are to be\nidentified in IT inventory separate from agency-owned systems, but DOI\nguidance does not specify further criteria for determining if contractor systems or\nsubsystems should be identified in DEAR.\n\nBureaus do not consistently identify contractor systems inventory. Our sample of\nsystems revealed that the identification of contractor systems is inconsistent when\nboth agency and contractor share in hosting or operations.\n\nTwo systems in our sample were identified as contractor systems in inventory.\nThose systems include:\n\n\n\n\n                                                                                  8\n\x0c   \xe2\x80\xa2   The Land Records Information System, which is hosted in a DOI\n       Government facility. The system security plan does not reference contract\n       operators; and\n   \xe2\x80\xa2   The OHTA Clifton Gunderson Indian Trust Information System, which is\n       hosted at a contractor facility and operated by contractors.\n\nThree other systems in our sample are fully or partially hosted or operated by\ncontractors and are not identified as contractor systems, including:\n\n   \xe2\x80\xa2   The DOI Enterprise Services Network, which is hosted in a Government\n       facility and primarily operated by contractors, along with some Federal\n       personnel;\n   \xe2\x80\xa2   The Native American Student Information System, which is primarily\n       hosted in a Government building in Albuquerque, NM, and partially at a\n       contractor facility in Blaine, MN, where contractors provide system\n       administration and help desk support; and\n   \xe2\x80\xa2   The National Conservation Training Center Local Area Network hosted at\n       a Government building and includes a Property Management System that\n       is managed by a guest services contractor.\n\nNot clearly identifying contractor systems has impacts beyond the IT inventory.\nAuthorizing officials receive incomplete descriptions of the systems via the C&A\npackages, DOI cannot oversee contractors and assure compliance with FISMA\nsecurity requirements, and contractor data centers are not accurately identified,\nwhich causes them to be left out for consideration in the Department\xe2\x80\x99s data center\nconsolidation efforts.\n\nHardware and Software Inventory\nConditions at DOI present persistent challenges to maintaining a valid asset\ninventory. IT acquisitions for hardware and software are not centralized at all\nbureaus and controlling what is deployed on the network is difficult. Network\naccess controls are not implemented throughout most of DOI, which means there\nis not an effective way to control what hardware connects to the network. In\naddition, the widespread use of local administrator rights enables users to install\nunauthorized software.\n\nThe \xe2\x80\x9cDepartment\xe2\x80\x99s C&A Guide Using CSAM\xe2\x80\x9d states that asset inventory\nincludes \xe2\x80\x9call hardware and software, including Servers, Workstations, O/S\n[operating system], software suites, applications, Web functionality, development\napplications, virus protection, Web tools such as Cold Fusion, VPNs [Virtual\nPrivate Network], encryption tool, firmware, modems, hubs, routers, contractor\nauthorized hardware and software, firewalls, IDS [intrusion detection system],\nscan tools, etc.\xe2\x80\x9d\n\nThe Department has the technical capabilities to identify IT asset inventory, but\nbureaus impose limitations on the network, which prevents DOI insight into all\n\n                                                                                      9\n\x0cbureaus. As a result, asset inventory is not centrally managed and bureaus do not\nuse consistent methods to identify their asset inventories. Some bureaus use\nautomated mechanisms to generate asset inventory reports while other bureaus\nhave a manual process, and one bureau is unable to report.\n\n    Recommendations\n\n      1. Standardize the use of terms within CSAM.\n\n      2. Establish clear guidance for managing IT assets system inventory,\n         including: the identification and documentation of minor applications,\n         the identification (description, hosted, or operated) and documentation\n         of contractor components, a process for adding systems in\n         development to inventory, a process for adding test systems into\n         inventory, and a process for mapping all components to authorization\n         boundaries.\n\n      3. Establish clear guidance for managing hardware and software asset\n         inventory.\n\n\nCertification and Accreditation\nPolicy\nSystem accreditation is required by the Office of Management and Budget 4 and is\na required FISMA process. Accrediting an information system means a \xe2\x80\x9csenior\nagency official accepts responsibility for the security of the system and is fully\naccountable for any adverse impacts to the agency if a breach of security occurs,\xe2\x80\x9d\naccording to the Department\xe2\x80\x99s June 2009 \xe2\x80\x9cC&A Guide Using CSAM Solution\xe2\x80\x9d\n(Version 2.0). The C&A process documents the system security requirements,\nsecurity controls, and authorization to operate the system.\n\nIn February 2010, NIST issued revised guidance 5 that transforms the traditional\nC&A process into a six-step Risk Management Framework, now known as the\n\xe2\x80\x9csecurity authorization process.\xe2\x80\x9d In addition, August 2009 guidance 6 modified the\nrequired minimum IT security controls for systems. DOI has yet to update its\nC&A policy to correlate with NIST\xe2\x80\x99s revised guidance.\n\nThe C&A policies detailed in the DOI IT Security Policy Handbook are based on\nthe traditional C&A processes, now outdated by NIST\xe2\x80\x99s February 2010 and\nAugust 2009 guidance. The Department also has multiple procedural documents\nfor implementing the C&A process, including the draft \xe2\x80\x9cDOI Certification and\n\n4\n  Circular A-130, Appendix III.\n5\n  NIST Special Publication 800-37, Revision 1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to\nFederal Information Systems.\xe2\x80\x9d\n6\n  NIST Special Publication 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems and Organizations.\xe2\x80\x9d\n\n                                                                                                        10\n\x0cAccreditation Guide\xe2\x80\x9d (February 4, 2008) and the \xe2\x80\x9cDOI C&A Guide using CSAM\nSolution.\xe2\x80\x9d\n\nWe found that bureaus were aware of the various policy and guidance documents,\nyet do not have a definitive understanding of which guidance to follow.\nConfusion over the policy and procedural guidance has impacted the\nimplementation of DOI\xe2\x80\x99s C&A program.\n\nFISMA Sample of Systems\nThe weaknesses we identified in our sample are indicative of a flawed\nDepartmental authorization process. Such issues adversely affect the authorizing\nofficial\xe2\x80\x99s capability to manage information security system risks. Our review\ndetermined most of the C&A packages would not give an authorizing official a\ncomprehensive and valid understanding of the system security posture and could\nnot be relied on to support their decision to authorize the operation of the system.\n\nWe reviewed a representative sample of 21 IT systems to assess the Department\xe2\x80\x99s\nC&A process (See Appendix 1: Scope and Methodology for the complete list of\nsystems). Our review revealed noncompliance with DOI procedures,\ndocumentation deficiencies, invalid accreditations, complex systems not\nidentifying and describing component parts, untimely updates of system security\nplans, and self assessment of controls and contingency plans.\n\nOur review was based on data provided by bureaus and artifacts from CSAM.\nCSAM is the official repository for C&A packages, POAM, and Internal Control\nReviews for each accredited system in inventory.\n\nCSAM experienced a system failure and backup glitch that had a major impact on\nthe completeness and accuracy of the data in CSAM. The Department CIO stated\non July 2, 2010, \xe2\x80\x9cUnfortunately, analysis has revealed a breakdown in database\nbackup processes and procedures resulting in loss of data entered into CSAM\nsince approximately February 19, 2010.\xe2\x80\x9d Since our FY 2010 FIMSA Evaluation\nwas underway during that time, some of our findings may have been impacted.\nCommonalities we identified in the sample of systems included weaknesses in\ndocumentation, system accreditation, control reviews, and contingency plan tests.\n\nDocumentation\nWe found that C&A documentation is done inconsistently and lacks quality. We\nassessed the C&A packages for our systems sample and determined an overall\nquality rating of \xe2\x80\x9cgood,\xe2\x80\x9d \xe2\x80\x9csatisfactory,\xe2\x80\x9d or \xe2\x80\x9cpoor.\xe2\x80\x9d The ratings were based on\nsufficiency and completeness of detail within the package, compliance with NIST\nand Departmental guidance, and document organization. Our primary focus was\nto see if the package provided an authorizing official with an accurate\nunderstanding of the system security posture to make valid decisions to operate\nthe system. We found security documentation that showed 62 percent of the 21\n\n\n\n                                                                                  11\n\x0csystems were in the \xe2\x80\x9cpoor\xe2\x80\x9d category, 24 percent were \xe2\x80\x9csatisfactory,\xe2\x80\x9d and only 14\npercent were \xe2\x80\x9cgood.\xe2\x80\x9d\n\nSome C&A packages were generated using the CSAM system capabilities, while\nothers were produced independently. The packages generated using CSAM\ngenerally lacked tailoring and system-specific detail. CSAM is capable of\ngenerating a complete authorization package, but the end result is only as good as\nthe original data entered. We found that portions of the system security plans were\nmissing information and only displayed templates or placeholders. We also\nidentified system security plans with broken hyperlinks, generic responses,\nlimited or no documented update history, and blank signature pages for system\nsecurity plan approval. Packages produced independently of CSAM were found to\nbe more complete and the documents were reviewed for quality.\n\nSystem Accreditation\nDuring our evaluation of the FISMA sample of systems, we indentified varying\nissues with system accreditation. We noticed several weaknesses with the\ndocumentation and the process. Problems include:\n\n   \xe2\x80\xa2   Not all systems are accredited;\n   \xe2\x80\xa2   The accreditation process for systems in development is unclear;\n   \xe2\x80\xa2   Component parts are not fully identified within a larger accreditation\n       boundary; and\n   \xe2\x80\xa2   Not all accreditations are completed on time. Furthermore, minimum\n       controls have not been implemented following NIST revisions in August\n       2009.\n\nAccreditation Problems and Weaknesses\nFirst, not all Department systems are accredited. We identified three systems\n(Radio, Project Portfolio Management, and S&SS-Low) that are deployed in the\nDOI environment to varying extents and determined that they are neither covered\nunder valid security authorizations, nor fully identifiable in the DEAR IT\ninventory.\n\nThe Radio Systems Program accreditation has not been completed to date. Radio\nsystems are used in various missions by the Bureau of Indian Affairs (BIA),\nBLM, FWS, NPS, Bureau of Reclamation (USBR), and USGS. Since the DOI\nRadio System Program was one of the systems in our sample, we requested\nsecurity documentation on December 17, 2009, and were informed the\nconsolidated program or bureaus\xe2\x80\x99 instances do not have supporting C&A\npackages. The Office of Management and Budget classifies radio systems as a\nGeneral Support System, and they must adhere to FISMA requirements, including\nsystem accreditation. DOI established the Radio Site Consolidation project charter\non June 18, 2010, to analyze alternatives and the feasibility of restructuring the\nprogram, but accreditation has not been completed.\n\n\n                                                                                12\n\x0cProject Portfolio Management does not have a valid accreditation. The system is\nused by the DOI investment review board and is not included in DEAR inventory\nor CSAM. We did not receive a response from the Office of the Secretary (OS)\nregarding our request for system documentation.\n\nThe Science and Support System-Low (S&SS-Low) accreditation has not been\ncompleted. During our FY 2009 FISMA evaluation, we expressed concerns about\nthe accreditations of two USGS systems: the Office Automation General and\nOffice Automation Specialized. The Associate Director for Geospatial\nInformation and CIO stated on June 12, 2009, that \xe2\x80\x9cin accordance with the\nboundary change certificate memo, the subject systems will have all Assets or\nconstituent subsystem-level components realigned into new systems, therefore\ndecommissioning the old systems is required.\xe2\x80\x9d Our FY 2010 sample included two\nsystems (S&SS-Low and S&SS-Moderate) on the receiving end of this USGS\ncomponent realignment. We are unable to reconcile the asset realignment and\ngain assurance that all component systems are properly accredited for this\nevaluation.\n\nSecond, the Department\xe2\x80\x99s guidance regarding the accreditation process for\nsystems in development is unclear. The Department\xe2\x80\x99s C&A Guide elaborates on\nthe Clinger-Cohen Act, which \xe2\x80\x9cdirects the heads of agencies to \xe2\x80\x98incorporate\ninformation security principles and practices throughout the lifecycles of the\nagency\xe2\x80\x99s information systems,\xe2\x80\x99\xe2\x80\x9d by stating, \xe2\x80\x9cTherefore, any automated\ninformation resource under development, and at any stage during operation and\nmaintenance through disposal, must be included in the security requirements of\nthe system.\xe2\x80\x9d\n\nWe included one such system in our sample to gain an understanding of how the\nauthorization process is implemented during system development. We found that\nthe system, Incident Management and Analysis and Reporting System (IMARS),\nwhich is being created to provide a Department-wide information collection,\nanalysis, and reporting system for law enforcement and non-law enforcement,\nlacks proper documentation and does not have a timely accreditation process\nunderway. 7 The system has been in various stages of development since 2004 but\nthe security documentation process has not moved forward. IMARS is on the\nOffice of Management and Budget\xe2\x80\x99s FY 2010 high risk information technology\nprojects list. The necessary security considerations have not been documented.\n\nWhen we requested the C&A package for the IMARS system, we received a\nmemorandum from the authorizing official with a brief status update, which did\nnot detail the NIST defined tasks that should be underway. Also, the\n\n\n7\n  NIST Special Publication 800-37, Revision 1 (page 5), describes the process for managing information\nsystems-related risks, including, \xe2\x80\x9cintegrating information security requirements into system development life\ncycle.\xe2\x80\x9d Many of the tasks associated with the system\xe2\x80\x99s authorization process are detailed in NIST 800-37 and\nbegin during system development.\n\n\n                                                                                                          13\n\x0cDepartment\xe2\x80\x99s official repository for C&A package documentation, CSAM, does\nnot contain any security-related documentation for the system.\n\nThird, we found that component parts are not fully and consistently identified\nwithin a larger accreditation boundary. When we looked at component parts, or\nminor applications within complex systems, to determine if they are adequately\nidentified in the accreditation package, we found that the level of detail varied by\nsystem size and by bureau.\n\nAs an example, inconsistencies were identified between bureaus in how they\nreflect components in CSAM. The Office of the Secretary successfully and\neffectively identified the component part (the Talent Management System) within\nthe Human Resource Management Suite major application package. We\ndetermined that NPS did not adequately describe the two applications we\nreviewed. The Yosemite Wilderness Permit System and the Concession\nManagement System were neither described in detail nor clearly identified in the\nrelated GSS accreditation package.\n\nAlso, despite guidance from the CSAM C&A Guide, the Concession Management\nSystem minor application is not fully identifiable in DEAR and associated with\nthe NPS OneGSS. Both NPS minor applications are not fully described in the\nsystem security plan, security categorization is not documented, and the security\ncontrols are not identified for each subsystem component.\n\nFinally, we found reaccreditations that were not completed in a timely manner.\nNIST states that the maximum authorization period for an information system is 3\nyears. Four sample systems had accreditations that expired during our evaluation.\nThe reaccreditations were not completed to correspond with the accreditation\nexpiration date. In all instances, the reaccreditations were between 60 and 90 days\noverdue, as of the date of this report. One date reflected in CSAM showed that the\naccreditation expired on June 11, 2011, but the signed accreditation memo shows\nthat the accreditation expired on August 7, 2010.\n\nAnnual Self Assessments and NIST Revisions\nFISMA \xc2\xa7 3544(b)(5), requires annual assessments of the effectiveness of\ninformation security policies, procedures, practices, and security controls for all\nsystems. The CIO issued a memorandum 8 with detailed instructions and a\nmethodology for completing annual self-assessments for systems. It included a\nrequirement that CSAM should be used to document all system Internal Control\nReview assessments for FY 2010. We found that only 67 percent of the bureaus\nare using CSAM to assess the system IT security controls.\n\nNIST Special Publication 800-53, Revision 3 guidance has not been addressed in\nDOI guidance. All controls in that guidance have not been implemented. Most\nC&A packages are based on the second revision (NIST Special Publication 800-\n8\n    \xe2\x80\x9cInternal Control Review Guidance for FY2010,\xe2\x80\x9d February 24, 2010.\n\n                                                                                  14\n\x0c53, Revision 2), instead of the current version, which was released in August\n2009. These updates were to be fully implemented by August 2010, but CSAM\nhas not yet been updated. The FY 2010 annual assessments were completed using\nRevision 2, but the additional controls have not been assessed, and we have no\nassurance all minimum baseline controls have been implemented.\n\nAlso, we identified multiple process weaknesses during our review of self\nassessments. We did not find a historical record of assessments consistently\nposted in CSAM, so we were unable to ascertain if all systems had undergone an\nannual assessment within 12 months of their FY 2009 self assessment. We also\nfound that large and complex systems do not have a methodology to effectively\nconsolidate control assessments when they are completed at multiple sites under\nthe accreditation boundary. Many security controls did not contain any\nimplementation description.\n\nContingency Plan Testing\nWe found inadequate contingency plan testing within the Department. Our sample\nrevealed that 67 percent of the system contingency plan tests were either not\ncompleted on time or were insufficiently documented. The DOI IT Security\nPolicy Handbook states that bureaus must test the contingency plan for\ninformation systems \xe2\x80\x9cat least annually using bureau or office developed-tests and\nexercises to determine the plan\xe2\x80\x99s effectiveness and the organization\xe2\x80\x99s readiness to\nexecute the plan.\xe2\x80\x9d We found multiple systems had test date data entered in\nCSAM, but no artifacts were provided to support the entry. Without\ncomprehensive and well-documented contingency plan tests, DOI is unable to\nhave confidence in their plans.\n\nDOI Compliance Reviews\nWe found an ineffective compliance review process within the Department. The\nresults from the reviews are often inflated and they are of little benefit to the\nbureaus.\n\nThe Department\xe2\x80\x99s Cyber Security Division conducts annual reviews at each\nbureau as part of the Department\xe2\x80\x99s FISMA oversight and compliance efforts.\nThere is overlap between the OIG FISMA Evaluation and Cyber Security\nDivision\xe2\x80\x99s compliance reviews; however, the OIG and Cyber Security Division\nresults often disagree.\n\nOur evaluation noted numerous errors and inconsistencies in the bureaus\xe2\x80\x99\nauthorization packages, yet the Cyber Security Division\xe2\x80\x99s compliance reviews\nresulted in perfect, or near perfect, scores. During our fieldwork, bureaus\nexpressed confusion over the differences in our findings and Cyber Security\nDivision\xe2\x80\x99s lack thereof. Bureaus further stated that the Cyber Security Division\ngave them an opportunity to correct identified deficiencies and have their score\nmodified.\n\n\n\n                                                                                   15\n\x0c    Recommendations\n\n      4. Update DOI\xe2\x80\x99s security authorization policy and guidance to\n         incorporate the latest NIST guidance (NIST 800-37, Revision 1, and\n         NIST 800-53, Revision 3).\n\n      5. Merge the multiple DOI security authorization procedural documents\n         into a single document. The guidance should clarify when the\n         authorization process begins in the life cycle, the role of the senior risk\n         executive, and clarify how information system boundaries are to be\n         documented.\n\n\nSecurity Configuration Management\nPolicy\nSecurity configuration management is fundamental to the overall success of an\ninformation security program. FISMA emphasizes the need for organizations to\nimplement an organization-wide information security program. A March 22, 2007\nOffice of Management and Budget memorandum directed agencies to comply\nwith Federal Desktop Core Configuration (FDCC) standards, the security\nconfiguration standards that were developed by NIST, the Department of Defense,\nand the Department of Homeland Security, by February 1, 2008. One year after\nOMB\xe2\x80\x99s memorandum, the Department\xe2\x80\x99s Office of the Chief Information Officer\nissued policy in March 2008 requiring all offices to be in full compliance with\nFDCC standards by September 30, 2008.\n\nFederal Desktop Core Configuration\nFDCC standardizes desktop and laptop configurations and is intended to provide a\nsecure, enterprise-wide managed environment. Departmental policies require\ncompliance with FDCC and also that deviations are documented and approved.\n\nWe performed technical testing and assessed FDCC compliance by measuring\nspecific standards and configurations settings on the following benchmarks: 9\n\n     \xe2\x80\xa2   Windows XP Professional;\n     \xe2\x80\xa2   Internet Explorer Version 7; and\n     \xe2\x80\xa2   Windows XP Firewall.\n\nWe found that the Department was 80 percent compliant 10 with FDCC\nbenchmarks in 2010, compared to 68 percent compliant in 2009.We also found\ninconsistencies, however, such as disparate Web browsers, and unapproved\n\n9\n  We assessed compliance with FDCC where bureaus had these three benchmarks available. Not all bureaus\nemployed these benchmarks, so we were unable to test disparate software.\n10\n   OIG Secure Content Automation Protocol (SCAP) testing did not take into account approved or\nunapproved deviations.\n\n                                                                                                    16\n\x0cFDCC deviations. We reviewed the concept of least privilege and its\nimplementation and impact on security configuration management. The\ninconsistent configurations present a challenge in securing DOI workstations and\nhinder the Department\xe2\x80\x99s ability to monitor FDCC compliance.\n\nWe conducted technical testing in June 2010 and found FDCC compliance varies\nby bureau as demonstrated in Figure 1. We tested all bureaus with the exception\nof OHA, as technical testing capabilities were not available to test their operating\nsystems. We found differences in FDCC compliance ranging from 58 to 95\npercent throughout the bureaus.\n\n     Overall Percentage of Compliance with all FDCC Benchmarks\n\n  100\n   90\n   80\n   70\n   60\n   50\n   40\n   30\n   20\n   10\n    0\n\n\n\n\nFigure 1. We found differences in FDCC compliance ranging from 58 to 95 percent\nthroughout the bureaus.\n\nInconsistencies\nWe identified inconsistencies and unapproved deviations throughout much of the\nDepartment during our data analysis. These inconsistencies make monitoring the\nDepartment\xe2\x80\x99s overall FDCC compliance challenging. We found that:\n\n    \xe2\x80\xa2   BIA, USBR, MMS, and OSM were unable to validate their own\n        compliance with FDCC;\n    \xe2\x80\xa2   BLM, FWS, NPS, OHTA, OST, and SOL did not have approved\n        deviations from mandatory FDCC settings;\n    \xe2\x80\xa2   MMS, NBC, NPS, Office of the Secretary (OS), and OST do not use the\n        inherent Windows XP firewall, which puts them at risk for not meeting\n        FDCC security requirements;\n    \xe2\x80\xa2   USBR, FWS, and USGS do not have firewalls consistently turned on like\n        other bureaus;\n\n\n                                                                                  17\n\x0c    \xe2\x80\xa2    One typical Office of the Secretary user with elevated privileges managed\n         his own FDCC compliance settings instead of receiving the Department\xe2\x80\x99s\n         policy through automated mechanisms; and\n    \xe2\x80\xa2    One Office of the Secretary user did not have a firewall turned on at any\n         time.\n\nDisparate Web Browsers\nWe found multiple versions of Web browsers throughout the agency. FDCC\nmandates that each browser be configured with equivalent FDCC settings, yet we\nfound BIA, BLM, USBR, FWS, MMS, NBC, OS, OSM, and USGS did not\nconfigure their additional browsers to be secure. The following table demonstrates\nthe Department\xe2\x80\x99s disparate Web browsers:\n\n                      Disparate Web Browsers by Bureau\n\n   Bureau        No. of        Browsers and Versions Identified\n                 Browsers\n                 Reported\n   BIA                5        Internet Explorer 7 and Internet Explorer 8; Multiple versions of\n                               Mozilla Firefox; Multiple versions of Safari; Netscape Navigator;\n                               and Google Chrome\n   USBR               5        Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8;\n                               Multiple versions of Mozilla Firefox; Multiple versions of Safari;\n                               Google Chrome versions 1-5; and Opera V9 and V10\n   BLM                2        Internet Explorer 7 and Mozilla Firefox\n   FWS                5        Internet Explorer 7 (FWS did not identify the other 4 browsers)\n   MMS                2        Internet Explorer and multiple versions of Mozilla Firefox\n   NBC                2        Internet Explorer and Mozilla Firefox\n   NPS                5        Internet Explorer 7 and Internet Explorer 8; Multiple versions of\n                               Mozilla Firefox; Netscape Navigator; Google Chrome; and Opera\n   OHA                2        Internet Explorer 7 and Internet Explorer 8\n   OHTA               0        0\n   OS                 2        Internet Explorer and Mozilla Firefox\n   OSM                2        Internet Explorer and Mozilla Firefox\n   OST                0        0\n   SOL                0        0\n   USGS               5        Internet Explorer, Mozilla Firefox, Safari, Google Chrome, and\n                               Opera\n\nFigure 2. These are the browsers that each of the bureaus reported in the OIG data call. In\nsome cases, the number of browsers reported differs from the number actually identified.\n\nLeast Privilege and Elevated Rights\nFDCC standards prohibit elevated privileges and require least privilege for users,\na concept in which users are assigned the absolute minimum privilege necessary\nto perform required tasks (e.g., \xe2\x80\x9clocal administrator\xe2\x80\x9d or \xe2\x80\x9cpower user\xe2\x80\x9d settings).\nAssigning elevated privileges, such as \xe2\x80\x9clocal administrator\xe2\x80\x9d or \xe2\x80\x9cpower user,\xe2\x80\x9d\nenable users to circumvent standard configuration controls. According to NIST,\nany privilege that is not a default user right is an \xe2\x80\x9cescalated privilege\xe2\x80\x9d and is not\nin compliance with FDCC.\n\n\n                                                                                                    18\n\x0cWe found six bureaus that elevated \xe2\x80\x9ctypical\xe2\x80\x9d or \xe2\x80\x9cnormal\xe2\x80\x9d user accounts to \xe2\x80\x9clocal\nadministrator\xe2\x80\x9d or \xe2\x80\x9cpower users.\xe2\x80\x9d Moreover, these users are constantly logged in\nwith escalated rights and privileges, thus inviting the opportunity for malicious\nsoftware (malware) that can damage Department files and settings.\n\n             Percentage of Users with Local Administrative Privileges\n\n              70\n              60\n              50\n              40\n              30\n              20\n              10\n               0\n                       USBR         FWS          MMS           NPS         OHTA          OSM\n\n\nFigure 3. Shows the disparity of percentages of users with elevated privileges, such as \xe2\x80\x9clocal\nadministrator\xe2\x80\x9d or \xe2\x80\x9cpower user,\xe2\x80\x9d among bureaus.\n\nNetwork Access Control\nThe Department and bureaus have Plan of Action and Milestones 11 (POAM) with\nan estimated cost of $3 billion to mitigate the weaknesses associated with network\naccess control. Network access control, required per NIST Special Publication\n800-53 (IA-3) and Departmental policy, prevents unauthorized devices from\nconnecting to the network by assuring a device is authenticated.\n\nDuring fieldwork at three bureaus, we determined that network access control was\nnot deployed to prevent unauthorized computers from connecting to the network.\nWe connected an unauthorized computer to the network and performed scanning\nthat was likely to be detected, and little to none of the activity was identified or\nreported. We were able to connect to internal Web sites containing sensitive\ninformation from the unauthorized computer without being authenticated as a\nDOI or bureau user.\n\nWe also found weak physical security controls. 12 We successfully gained entry\nand access to offices without any type of identification. Once we were inside\nbureau facilities, physical access was virtually unrestricted, which enabled logical\naccess to the network. Weak physical security controls coupled with the lack of\n\n\n11\n     POAM ID number 13870.\n12\n     The Incident Response section contains additional information on weak physical security controls.\n\n                                                                                                         19\n\x0cnetwork access control implementation could lead to the loss or compromise of\nsensitive information.\n\nSecurity Technical Implementation Guides\nSecurity technical implementation guides (STIGs) are security configuration\nchecklists or instructions for configuring an application or product to a particular\noperational environment (e.g., a computer or network devices). Departmental\npolicy requires that STIGs be used as part of the overall security baseline.\n\nThe Department\xe2\x80\x99s security configuration policy does not address all operating\nsystems and applications in use across the agency. We determined DOI has\nadditional applications for which they do not have applicable STIGs. In addition,\nwe found users with administrator rights who had installed peer-to-peer\napplications, games, adult content screensavers, and other unauthorized software\nthat went undetected by the Department despite DOI IT Security policy\nprohibiting it. The Department cannot create a STIG for unidentified software.\n\n Recommendations\n\n      6. Implement least privilege principal and control use of elevated user\n         rights.\n\n      7. Standardize Web browsers and firewalls on workstations Interior-\n         wide.\n\n      8. Document and approve all deviations from FDCC compliance.\n\n      9. Implement network access controls.\n\n\nIncident Response and Reporting\nPolicy\nFISMA \xc2\xa7 3544(a)(7) requires that agencies establish incident response\ncapabilities and have formal procedures to detect, report, and respond to security\nincidents. Agencies are also required to notify and coordinate their incident\nresponse activities with the Department of Homeland Security\xe2\x80\x99s U.S. Computer\nEmergency Readiness Team (US-CERT) and notify and consult with law\nenforcement agencies, including their respective OIG when necessary based on\nthe guidance. Office of Management and Budget\xe2\x80\x99s July 12, 2006 memorandum\nM-06-09 13 also requires that agencies report all incidents involving personally\nidentifiable information (PII) to US-CERT within 1 hour of discovering the\nincident.\n\n\n13\n  Memorandum M-06-09, \xe2\x80\x9cReporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments.\xe2\x80\x9d\n\n                                                                                               20\n\x0cNIST Special Publication 800-61 14 provides guidance for handling IT security\nincidents. The Interior Computer Security Incident Response Handbook 15 also\noutlines response and reporting procedures for the agency in sufficient detail, and\nis consistent with NIST and the DOI IT Security Policy Handbook, which\nrequires bureaus to have an incident response capability.\n\nThe Interior Computer Security Incident Response Handbook states that incident\nresponse coverage is from 7 a.m. to 7 p.m., Eastern Standard Time. Security\nOperations personnel act as a point of contact for reporting incidents at the\nDepartment and manage the DOI Computer Incident Response Center (CIRC), a\ncentralized database or ticketing system intended to correlate and track incidents\nat all bureaus.\n\nProcedure Implementation is Lacking\nWe found that the incident response capability within the Department is\nfragmented and inconsistent. We identified inconsistencies in how DOI reports\nincidents to US-CERT. We also identified inconsistencies with bureaus reporting\nto DOI using the DOI CIRC. We found that bureaus have their own incident-\nreporting and response policies and procedures, which makes it difficult for the\nagency to correlate key incidents in a central location. We sampled three bureaus\nand found that two of them were not aware of the Interior Computer Incident\nResponse Handbook issued in January 2010.\n\nThe multiple layers to report an incident to the Department is time intensive and\nnot consistently followed. The lack of a bureau-wide, consolidated approach,\ncoupled with duplicative policy and procedures, is hindering the DOI Incident\nResponse program as a whole.\n\nAbsence of Preventative Measures and Breakdown of Procedures\nWe found that key preventative and incident detection measures were absent and\nsome procedures were disregarded.\n\nOur testing at three bureaus found file and object access not enabled. Having file\nand object access enabled would allow the bureaus to record and identify OIG or\nunauthorized personnel\xe2\x80\x99s access or attempted access to sensitive information. We\nfound that permissions set to protect sensitive information were generally\nrestrictive throughout the three bureaus but not in all cases. We found that as a\ndomain administrator or local administrator of a server, we were able to view,\nmodify, and copy sensitive information without being detected.\nWe also found weak physical security controls. At a National Park Service\nheadquarters building, we were able to piggyback into the secure facility with an\narmed Park Ranger through a door for employees only. Once inside, physical\naccess to the bureau facilities was virtually unrestricted, allowing us to gain\nlogical access to the network and collect hardcopy personally identifiable\n\n14\n     Revision 1, \xe2\x80\x9cComputer Security Incident Handling Guide,\xe2\x80\x9d (March 2008).\n15\n     Version 2, issued on January 28, 2010.\n\n                                                                                 21\n\x0cinformation (PII) and sensitive information. Weak physical security controls led\nto the loss and compromise of hardcopy sensitive information that was never\nreported to DOI CIRC. We were 100 percent successful in gaining access to three\nbureau networks with an unauthorized computer. In some cases, we were able to\nfind and access sensitive information with the unauthorized computer.\n\nLogging in with credentials obtained by successful social engineering attacks\ncould have been prevented if two-factor authentication, the use of two\nindependent authentication methods for authorizing secure access to a system,\nwere implemented. We were 100 percent successful at all three bureaus in\nobtaining usernames or passwords to log into computers. Two-factor\nauthentication was not enforced on these accounts, as we logged in without a\nPersonal Identity Verification card.\n\nWe reviewed incidents within the DOI-CIRC from April 21 through September\n14, 2010 and found that only three of 245 PII tickets were reported to US-CERT\nwithin the required 1-hour timeframe. Of the 245 PII incidents we reviewed\nwithin DOI-CIRC, we found that bureaus took an average of 54 days to report PII\nincidents to the Department, which delayed the Department\xe2\x80\x99s required report to\nUS-CERT. Our testing even created an incident in Alaska. We found that our\nincident was reported to a trained IT security manager within the state, but the IT\nsecurity manager never reported it to the bureau level. These stovepipes do not\nallow the centralized management and correlation of incidents to take place in a\ntimely enough manner so that Departmental procedures can be followed.\n\nIncidents\nOur testing of incident response at three bureaus demonstrates the inconsistency\nwith which they identify and report incidents. When we created incidents during\nour testing, we found reporting in one bureau was timely and accurate but\nuntimely and inaccurate in another. We found the following unreported incidents:\n\n   \xe2\x80\xa2   Unauthorized access to facilities;\n   \xe2\x80\xa2   Copy and removal of PII from servers;\n   \xe2\x80\xa2   Unauthorized access to documents;\n   \xe2\x80\xa2   Removal of hardcopy PII-sensitive documents;\n   \xe2\x80\xa2   Social engineering attacks;\n   \xe2\x80\xa2   Unauthorized scans of networks;\n   \xe2\x80\xa2   Unauthorized computers connected to networks; and\n   \xe2\x80\xa2   Passwords cracked on files with weak encryption standards.\n\nWe also obtained numerous documents and property from NPS, such as:\n\n   \xe2\x80\xa2   Social Security numbers in hardcopy documents, workstations, and\n       servers;\n   \xe2\x80\xa2   Numerous users\xe2\x80\x99 personal listings of username and passwords in various\n       formats (e.g., MS Excel, MS Word and text files) for GovTrip,\n\n                                                                                 22\n\x0c       QuickTime, Interior Department Electronic Acquisition System (IDEAS),\n       and the Federal Financial System;\n   \xe2\x80\xa2   Numerous credit card numbers and personal receipts attached;\n   \xe2\x80\xa2   Social Security numbers posted to internal Web sites of external vendors\n       or providers;\n   \xe2\x80\xa2   Adjudication of security clearances;\n   \xe2\x80\xa2   385 IBM Lotus Notes IDs coupled with a password list, which allow\n       unauthorized access to users\xe2\x80\x99 email accounts;\n   \xe2\x80\xa2   Sensitive information from unlocked shredder bins; and\n   \xe2\x80\xa2   An unlocked workstation with a username and password on the screen.\n\nOf these documents and findings, we found neither that the incidents were\nreported nor any indication that the bureaus knew these documents had been\ncompromised. Our review demonstrated that incidents were not identified and\npreventative, and detection measures are not fully in place at the Department.\n\n Recommendations\n\n    10. Implement incident response policies and procedures consistently\n        throughout bureaus and offices.\n\n    11. Require bureaus and offices to use the Department\xe2\x80\x99s DOI-CIRC\n        database for incident response and reporting versus their own\n        implementation.\n\n\nSecurity Training\nPolicy\nFISMA has multiple security training requirements designed to inform personnel\nof information security risks and responsibilities. DOI\xe2\x80\x99s annual security training,\nFederal Information Systems Security Awareness (FISSA), is required by all\nusers. Role-Based Information Technology Security Training is required by those\nwith significant IT responsibilities. All users must annually acknowledge the\nRules of Behavior, which detail users\xe2\x80\x99 expected behavior with regard to\ninformation and information system use.\n\nDOI\xe2\x80\x99s FISSA training consolidates Privacy and Records Management and the\nannual acknowledgement of the Rules of Behavior. According to the DOI IT\nSecurity Policy Handbook, FISSA \xe2\x80\x9cis required by all information system users\nbefore authorizing access to information systems and annually thereafter.\xe2\x80\x9d\nTraining requirements reiterated in a December 22, 2009 memorandum from the\nDOI CIO \xe2\x80\x9crequire all users of Department of the Interior (DOI) information\nsystems to receive annual information security awareness, privacy, and records\nmanagement training, as well as acknowledging system Rules of Behavior\xe2\x80\x9d by\nJuly 31, 2010. An April 21, 2010 Office of Management and Budget\n\n                                                                                 23\n\x0cMemorandum (M-10-15) details the FY 2010 FISMA reporting requirements and\nextends the FISSA training requirement to \xe2\x80\x9ceach employee,\xe2\x80\x9d not just system\nusers.\n\nThe annual requirement for users to complete the Rules of Behavior agreement\nwas established in the CIO\xe2\x80\x99s December 22, 2009 memorandum. The DOI IT\nSecurity Policy Handbook also states that bureaus shall \xe2\x80\x9censure receipt of signed\nacknowledgement from users indicating that they have read, understand, and\nagree to abide by the rules of behavior, before authorizing access to the\ninformation system and its resident information.\xe2\x80\x9d It further states that bureaus\n\xe2\x80\x9cmay leverage electronic signatures for use in acknowledging rules of behavior.\xe2\x80\x9d\n\nFISMA \xc2\xa7 3544(a)3(d) requires role-based IT security training. It specifically\nrequires that the Department\xe2\x80\x99s CIO train personnel with significant\nresponsibilities for information security. Also, the DOI IT Security Policy\nHandbook states that role-based information technology security training\n\xe2\x80\x9cprograms are implemented in accordance with the DOI Role-Based IT Security\nTraining Guide, and NIST Special Publication 800-16, \xe2\x80\x98Information Technology\nSecurity Training Requirements: A Role- and Performance-Based Model\xe2\x80\x99 (March\n20, 2009).\xe2\x80\x9d On December 23, 2009, the Department CIO released Office of CIO\nDirective 2010-002, which detailed role-based information technology security\ntraining requirements and released DOI\xe2\x80\x99s updated Role-Based Security Training\nStandard Version 2.5 (November 3, 2009). The directive stated that role-based\ninformation technology security training requirements were to be completed no\nlater than July 31, 2010.\n\nResults\nFISSA\nIn general, procedures surrounding FISSA training were well implemented during\nFY 2010. There were challenges associated with the deployment of a new training\nsystem, but the guidance remained consistent and well disseminated throughout\nDOI. July 31, 2010 reports from the Departmental training system reflect that\n97.7 percent of Federal employees and other personnel 16 completed the training.\nThe training course covered DOI security policies and procedures and was\ndetermined to be comprehensive.\n\nDespite DOI efforts to provide annual training, users continue to introduce risk to\nthe environment. During unannounced fieldwork at a bureau, we observed a\ncontract employee workstation which was left unlocked, unattended, and logged-\nin to the bureau email. In addition, the email on the screen contained a user name\nand password to a bureau File Transfer Protocol (FTP) site. Our review of the\nFISSA completion records revealed that this contractor had been enrolled and\nincluded in the baseline but had not completed the FISSA training.\n\n\n16\n  Other personnel include all types of non-full time equivalents such as contractors, volunteers, and seasonal\nemployees.\n\n                                                                                                           24\n\x0cRules of Behavior\nRules of Behavior for each bureau were included as part of FISSA training. Prior\nto completing the training, users select the rules of behavior appropriate to their\nspecific bureau. The user is asked to read the rules and select \xe2\x80\x9cI agree\xe2\x80\x9d to progress\nand finish the course. During FISMA fieldwork, we confirmed that none of the\nthree bureaus retained signed, hard copy versions of the Rules of Behavior\nacknowledgement. The DOI IT Security Policy Handbook allows electronic\nsignatures to be associated with the Rules of Behavior acknowledgement. The\nbureaus that we sampled were unsure if the submission in DOI Learn equates to\nan electronic signature.\n\nEach bureau has its own Rules of Behavior. We determined that most Rules of\nBehavior documents do not incorporate specific information regarding remote\naccess or teleworking responsibilities.\n\nRole-Based Security Training\nRole-Based Security Training is completed by personnel with significant\ninformation security responsibilities. The Department\xe2\x80\x99s Role-Based Security\nTraining Standard 17 clearly defines training requirements for each group, bureau\nresponsibilities for tracking completed training, and courses available in DOI\nLearn. As of July 31, 2010, 54 percent of all personnel required to take role-based\nsecurity training had completed the required training. The Department extended\nits reporting date for accepting training completions, and as of September 15,\n2010, it reported 96.2 percent completion.\n\nImplementation Challenges\nAccurately identifying personnel required to complete FISSA and Role-Based\nSecurity training is a challenge for DOI. The Department does not have a central\nauthoritative identity management system for identifying all personnel who have\nvarious training requirements. Establishing baselines is a manual process, which\nprovides a point-in-time number based on data from a number of available\nreports, including the active directory listing, historical training records, payroll,\nand human resources reports.\n\nRole-based security training completions are tracked in DOI Learn after users\n\xe2\x80\x9cself certify\xe2\x80\x9d that they are finished. Supporting artifacts cannot be uploaded into\nthe system as evidence of self certifications. Role-based security training in the\nDepartment can only be verified manually, using an extensive data call.\n\nSignificant IT Security Duties\nPersonnel with a range of qualifications and position descriptions perform DOI IT\nsecurity duties. On December 17, 2009, we issued a data call of all Department\npersonnel with \xe2\x80\x9csignificant IT security responsibility\xe2\x80\x9d to determine the\ndemographics of this group. The list contained employees and non-employees for\nall bureaus and reflected various portions of their time devoted to IT security\n17\n     Version 2.5, section 1.5, dated November 3, 2009.\n\n                                                                                     25\n\x0cduties. The personnel ranged in General Schedule (GS) grade levels and GS-\nseries. The information was manually compiled by each bureau because an\nautomated method does not exist.\n\nOur analysis evaluated whether IT security is performed by a sufficient number of\npersonnel with an appropriate grade structure and expertise. The results do not\nreveal a great deal of consistency regarding personnel and those variables impact\nhow IT security is conducted in DOI.\n\nThe Department\xe2\x80\x99s Role-Based Security Training Standard 18 defines the type of\npersonnel considered as having \xe2\x80\x9csignificant information security responsibility.\xe2\x80\x9d\nIn FY 2010, the Department reported 4,067 personnel with \xe2\x80\x9csignificant IT\nsecurity responsibility.\xe2\x80\x9d Our analysis revealed that:\n\n       \xe2\x80\xa2    536 more personnel were involved in IT security in FY 2010 than FY\n            2009;\n       \xe2\x80\xa2    77 percent of the personnel were fulltime Federal employees;\n       \xe2\x80\xa2    23 percent of the personnel were contractors;\n       \xe2\x80\xa2    The largest gain in personnel was at USGS, which added 142 employees;\n       \xe2\x80\xa2    The next largest gain in personnel was at FWS, which added 128\n            employees;\n       \xe2\x80\xa2    The biggest loss in personnel was at USBR, which lost 13 fulltime\n            employees;\n       \xe2\x80\xa2    The number of personnel devoting 100 percent of their time to IT security\n            dropped by 36 percent;\n       \xe2\x80\xa2    50 percent of the new 354 fulltime employees are GS-12 or above;\n       \xe2\x80\xa2    IT Security personnel increased by 22 percent from FY 2008; and\n       \xe2\x80\xa2    202 fewer people devote at least 60 percent or more of their time to IT\n            security compared to FY 2009.\n\nFigures 4 to 7 show data from our comparative analysis between FYs 2008, 2009,\nand 2010.\n\n\n\n\n18\n     Version 2.5, Section 1.5, dated November 3, 2009.\n\n                                                                                  26\n\x0c           Personnel Reported (total) Year-by-Year Comparison\n\n               FY 2008           FY 2009                          FY 2010\n                                                  Total                            Total\n Bureau     FTE      CNTR     FTE      CNTR                    FTE       CNTR\n                                                  Difference                       Difference\nBIA          127      63      148           46        +4       140           63        +9\nBLM          601      123     559           94        -71      572           81         0\nBOR          328      16      348           62        +66      335           62        -13\nFWS          284      63      273           63         -9      403           63       +128\nMMS          192      174     210           109       -47      221           174       +76\nNBC          292      141     340           232      +139      389           287      +104\nNPS          385      10      408           60        +73      440           57        +29\nOHA           5        5       6             0         -4       6             0         0\nOHTA          5       21       5            21          -       4            18         -4\nOS           56       12      63            18        +13      73            45        +37\nOSM          37       10      39             8          -      58            10        +21\nOST          17        4      21             0          -      27             0        +6\nSOL           2        1       6             2        +5        6             3        +1\nUSGS         327      42      340           48        +19      448           82       +142\nTotal       2658      685     2768          763                3122          945\nAnnual\ncombined           3343              3531           +188              4067           +536\ntotal\n\nFigure 4. Presents the number of fulltime Federal employees and contractor personnel in a\nyear-to-year comparison and how they are allocated to various DOI bureaus.\n\n\n\n\n                                                                                            27\n\x0c       Employees Reported (by Grade) Year-by-Year Comparison\n                                                                 Difference      Difference\n                Grade    FY2008      FY2009       FY2010         (FY08-09)       (FY09-10)\n               SP-5         1           1            1                 -               -\n               WG-11        2           2            1                 -              -1\n               GS-2         1           1            0                 -              -1\n               GS-3         -           2            4               +2              +2\n               GS-4         4           7           10               +3              +3\n               GS-5        24          33           37               +9              +4\n               GS-6        24          18           24                -6             +6\n               GS-7        95          94           137               -1             +43\n               GS-8        15          12           15                -3             +3\n               GS-9        218         228          278              +10             +50\n               GS-10        5           4            2                -1              -2\n               GS-11       513         522          589              +9              +67\n               GS-12       669         665          743               -4             +78\n               GS/GM-\n                           515            562          645           +47            +83\n               13\n               GS/GM-\n                           337            366          374           +29            +8\n               14\n               GS/GM-\n                           154            171          176           +17            +5\n               15\n               SL             5           4            5              -1            +1\n               SES            74          76           81             +2            +5\n\n\n                Total      2656       2768            3122          +112           +354\n\n\nFigure 5. Employees reported by grade, in a year-to-year comparison from FY 2008 to 2010.\n\n\n\n           Percent of Time Personnel Devoted to IT Security Duties\n\n                 FY 2008             FY 2009                                  FY 2010\n                                                                Total                            Total\n Percentage    FTE      CNTR       FTE          CNTR                       FTE       CNTR\n                                                             difference                       difference\n    100        506      83         524          153              +88       380        117        -180\n    \xe2\x89\xa5 90       531      91         551          160              +89       406        135        -170\n    \xe2\x89\xa5 80       549      97         579          165              +98       432        147        -165\n    \xe2\x89\xa5 70       626      103        654          182             +107       463        176        -197\n    \xe2\x89\xa5 60       652      116        686          190             +108       492        182        -202\n    \xe2\x89\xa5 50       783      134        809          214             +106       625        245        -153\n    \xe2\x89\xa5 40       845      151        858          221              +83       682        251        -146\n    \xe2\x89\xa5 30       1027     193        1008         247              +35       838        285        -132\n    \xe2\x89\xa5 20       1467     329        1510         421             +135       1547       572        +188\n    \xe2\x89\xa510        2058     517        2208         599             +232       2419       791        +403\n     \xe2\x89\xa49        600      168        560          164              -44       704        153        +133\n\nFigure 6. The time personnel devote to IT security has dropped dramatically since 2009.\n\n\n\n\n                                                                                                       28\n\x0c    Employees with Significant Information Security Responsibilities\n\n                   Job Title             Series                      Explanation\n Clerk (STEP)                             0303     IT Clerk (STEP)\n Wild Horse and Burro Specialist          0401     System Manager, Wild Horse and Burro System\n Natural Resource Specialist              0401     Active Directory Elevated Privileges\n Hydrologist                              1315     Security Point of Contact\n Geologist                                1350     IT Security Administration\n Supervisory Geologist                    1350     IT Security Manager\n Fishery Biologist                        0482     Security Point of Contact\n Geophysicist                             1313     IT Security Administration\n Physical Scientist                       1301     IT Project Manager\n Bankcard Coordinator                     0303     System Administrator\n Realty Specialist                        1170     Active Directory Elevated Privileges\n Park Ranger                              0025     OU Admin, Information Security Management\n Electronic Mechanic                      2604     Local Area Network Administrator\n Supervisory Budget Officer               0340     Budget Tracking\n Pipeline Coordinator Officer             0301     System Owner\n\nFigure 7. A considerable array of personnel who perform information security duties have\njob titles that do not seem to support the necessary qualifications for IT security functions.\n\n Recommendations\n\n     12. Evaluate the current Rules of Behavior submission process to ensure it\n         satisfies electronic signature requirements.\n\n     13. Implement a solution that assists in establishing accurate employee and\n         contractor baseline counts, such as a central authoritative identity\n         management system.\n\n     14. Review the qualifications of personnel performing IT security duties in\n         the Department and reassign those duties accordingly.\n\n\nPlan of Action and Milestones\nPolicy\nThe Office of Management and Budget has required quarterly system Plans of\nAction and Milestones (POAM) since October 31, 2001. The Plan of Action and\nMilestones program has taken steps forward since then but it certainly has not\nmatured into an effective and reliable program for managing all IT weaknesses in\nthe Department.\n\nThe DOI IT Security Policy Handbook requires Bureaus and Offices to develop\nand continuously update Plan of Action and Milestones for all systems. POAMs\nshould document all planned, implemented, and evaluated remedial actions to\ncorrect system deficiencies identified during the assessment of the system security\ncontrols. The process is to be completed in accordance with the DOI POAM\nProcess Standard. The Department CIO expanded on the policy on September 23,\n\n                                                                                             29\n\x0c2008, when he mandated the use of CSAM as the central database for managing\nPOAMs.\n\nOffice of Chief Information Officer Directive 2010-006 reiterated this policy on\nMay 18, 2010, and released an updated version on May 10, 2010, \xe2\x80\x9cDOI POAM\nProcess Standard\xe2\x80\x9d (Version 1.8), incorporating the use of CSAM and automating\nthe process. DOI\xe2\x80\x99s June 2009 \xe2\x80\x9cC&A Guide using CSAM Solution v2.0\xe2\x80\x9d provides\nadditional details and procedures for maintaining the POAM program using the\nCSAM solution.\n\nAccording to NIST Special Publication 800-37, Revision 1, \xe2\x80\x9cGuide for Applying\nthe Risk Management Framework to Federal Information Systems,\xe2\x80\x9d the Plan of\nAction and Milestones is one of the three key documents in the system\nauthorization package and is used by the authorizing official to monitor progress\nin correcting weaknesses.\n\nThe POAM describes the tasks planned to:\n\n    \xe2\x80\xa2   \xe2\x80\x9cCorrect any weaknesses or deficiencies in the security controls noted\n        during the assessment;\xe2\x80\x9d and\n    \xe2\x80\xa2   \xe2\x80\x9cAddress the residual vulnerabilities in the information system.\xe2\x80\x9d\n\nIt also identifies:\n\n    \xe2\x80\xa2   \xe2\x80\x9cThe tasks to be accomplished with a recommendation for completion\n        either before or after information system implementation;\n    \xe2\x80\xa2   The resources required to accomplish the tasks;\n    \xe2\x80\xa2   Any milestones in meeting the tasks; and\n    \xe2\x80\xa2   The scheduled completion dates for the milestones.\xe2\x80\x9d\n\nPolicy Implementation\nAll bureaus have complied with Departmental guidance to use the CSAM solution\nfor system Plans of Action and Milestones. Data in the system could be valuable\nfor management and oversight purposes. We determined that the Department,\nspecifically the Cyber Security Division, has initiated oversight efforts to enhance\nthe data quality within CSAM. The Cyber Security Division sent copies of review\nitems to bureaus, instructing them to take corrective action. Based on our analysis,\nextensive effort is necessary to enhance the Plan of Action and Milestones data\nquality. In June 2010, a CSAM system failure was followed by an unsuccessful\nbackup. The Department CIO informed users that data was lost back to\napproximately February 19, 2010. POAM updates entered in the database during\nthat period of time were impacted, but bureaus were not able to fully assess the\nimpact. During our fieldwork they were still in the process of determining what\ndata was lost.\n\n\n\n                                                                                 30\n\x0cCSAM automates the Plan of Action and Milestones process and enables the OIG\nto perform efficient analysis of the data. As with any automated system, the\noutput is only as good as the data input. We identified errors, incomplete\ninformation, and missing artifacts associated with the Plan of Action and\nMilestones. A consolidated October 4, 2010 CSAM Plan of Action and\nMilestones report for all systems showed:\n\n   \xe2\x80\xa2   The total estimated cost associated with Department Plan of Action and\n       Milestones is more than $7 billion ($7,603,531,653);\n   \xe2\x80\xa2   Continuous monitoring weaknesses have an estimated $120.5 million\n       associated cost with limited project investment planning;\n   \xe2\x80\xa2   Network access control weaknesses have an estimated $3 billion\n       associated cost with limited project investment planning;\n   \xe2\x80\xa2   11,064 Plan of Action and Milestones weaknesses are associated with\n       agency systems;\n   \xe2\x80\xa2   1,141 are associated with contractor systems;\n   \xe2\x80\xa2   3,580 are in delayed status;\n   \xe2\x80\xa2   1,330 have not been started;\n   \xe2\x80\xa2   3,227 did not have an estimated associated cost;\n   \xe2\x80\xa2   5,579 of them estimated the cost to be less than $1,000 each;\n   \xe2\x80\xa2   1,358 Plan of Action and Milestones did not have any milestones;\n   \xe2\x80\xa2   5,808 were completed in an overall average of 277 days (range was 1 to\n       3,322 days);\n   \xe2\x80\xa2   6,671 did not have an associated artifact posted;\n   \xe2\x80\xa2   16 had blank \xe2\x80\x9cdetailed weakness descriptions\xe2\x80\x9d;\n   \xe2\x80\xa2   12 had blank \xe2\x80\x9cPOAM titles\xe2\x80\x9d;\n   \xe2\x80\xa2   1,254 had planned finish dates that were blank or to be determined;\n   \xe2\x80\xa2   257 did not include organization priority (i.e., high, medium, or low);\n   \xe2\x80\xa2   487 were identified as mission critical;\n   \xe2\x80\xa2   76 of the 487 mission critical Plan of Action and Milestones were\n       completed on an overall average of 218 days (range was 1 to 868 days);\n   \xe2\x80\xa2   1,634 Plans of Action and Milestones were identified as related to\n       financial systems;\n   \xe2\x80\xa2   853 were missing system status (e.g., development, initiation, operational,\n       or retired); and\n   \xe2\x80\xa2   77 with either incorrect actual start or finish date, as the time to correct\n       was negative.\n\nUsing the data above we concluded that bureaus are gathering data in CSAM, but\nit is not being used to manage IT weaknesses, manage risks, or prioritize\ncorrective action or resource allocation. We further concluded that the data is not\nbeing used to perform effective management and oversight of the Plan of Action\nand Milestones program.\n\n\n\n                                                                                 31\n\x0cWe identified inconsistencies among three bureaus in implementing their Plan of\nAction and Milestones programs. One of the three bureaus that we reviewed\nperformed further analysis of the data to identify IT controls associated with\nsystem Plan of Action and Milestones and various statistics (e.g., delays,\nmilestones, etc.) associated with its Plan of Action and Milestones, but the\nprocess was not fully implemented. Bureaus with large, complex systems do not\nhave an established method for combining weaknesses for all component parts of\nthe system. Also, quarterly Plan of Action and Milestones briefings for the\nauthorizing officials are not conducted consistently.\n\nThe Impact of CSAM Failure\nThe Plan of Action and Milestones program was significantly impacted from the\nCSAM backup failure. During our fieldwork, all three bureaus stated that they\nexperienced data loss and would need additional resources to restore it. Most\nbureaus were unable to establish a dollar impact but all said it was a big step\nbackward. We were told by one bureau that Plan of Action and Milestones cannot\nbe reentered using historical ID numbers, and therefore tracking capabilities are\nlost.\n\n Recommendation\n\n      15. Ensure that the Department and bureaus are accountable for\n          consistent and accurate data in CSAM to manage Plan of Action and\n          Milestones weaknesses.\n\n\nRemote Access\nPolicy\nIn August 2006, the Chief Information Officer directed all bureaus to transition to\nthe Department\xe2\x80\x99s remote access system by January 31, 2007, and a May 2007\nOffice of Management and Budget memorandum 19 requires two-factor\nauthentication for remote access.\n\nFISMA emphasizes the need for organizations to implement an organization-wide\ninformation security program. NIST Special Publication 800-46, Revision 1,\n\xe2\x80\x9cGuide to Enterprise Telework and Remote Access Security,\xe2\x80\x9d provides details of\npreparing, operating, and securing remote access solutions.\n\nThe DOI IT Security Policy Handbook requires that bureaus mitigate the risk\nassociated with connecting equipment remotely and that access shall be\nexclusively provided by Government-owned computers. It states the following\nsafeguards must be implemented for remote access:\n\n\n19\n  OMB M-07-16, \xe2\x80\x9cSafeguarding against and Responding to the Breach of Personally Identifiable\nInformation.\xe2\x80\x9d\n\n                                                                                               32\n\x0c     \xe2\x80\xa2   Multi-factor authentication;\n     \xe2\x80\xa2   Whole disk encryption;\n     \xe2\x80\xa2   File and folder encryption;\n     \xe2\x80\xa2   Host-based Anti-Virus software;\n     \xe2\x80\xa2   Host-based firewall;\n     \xe2\x80\xa2   Patch management;\n     \xe2\x80\xa2   Security Technical Implementation Guides; and\n     \xe2\x80\xa2   Virtual Private Network (VPN) / Encryption of data in transit.\n\nPolicy and Telework\nThe DOI IT Security Policy Handbook provides a set of minimum standard\nelements for bureaus to address the protection of PII and sensitive data, remote\naccess, and mobile computing device usage in their Rules of Behavior agreement.\nCopies of bureaus\xe2\x80\x99 Rules of Behavior can be accessed in DOI Learn through the\ntraining course titled \xe2\x80\x9cFY 2010 Annual End-User Federal Information Systems\nSecurity Awareness + Privacy and Records Management.\xe2\x80\x9d\n\nWe found a lack of telework or remote access addressed within the Rules of\nBehavior from bureaus. Also, the Department does not have an up-to-date\ntelework policy addressing security of remote access 20 despite a June 2009\nrevision to NIST Special Publication 800-46, which states that \xe2\x80\x9ca telework\nsecurity policy should define which forms of remote access the organization\npermits.\xe2\x80\x9d We did not find this guidance during our review of the Department\xe2\x80\x99s\ntelework policy.\n\nNumerous Solutions for Remote Access\nRemote Access is noncompliant with the Office of Management and Budget or\nDOI mandates. More remote access systems have been added against the\nDepartment\xe2\x80\x99s direction and two-factor authentication has not been fully\nimplemented. These inconsistencies facilitate an unmanageable remote access\nenvironment.\n\nOur analysis of remote access systems uncovered a significant vulnerability at\nFWS. We found that FWS implemented a remote access solution that the\nDepartment did not approve to operate. We immediately notified the Department,\nand it discontinued the remote access system from connecting through the\nDepartment until its risks can be formally assessed. Further analysis revealed that\nFWS called it a \xe2\x80\x9cpilot\xe2\x80\x9d and had 100 or more users on the remote access system for\nabout 6 months. The Department\xe2\x80\x99s Enterprise Infrastructure Division, which\nmonitors and controls the Department\xe2\x80\x99s perimeter, was unaware of FWS\xe2\x80\x99s remote\naccess solution.\n\nWe also found that BLM, NBC, NPS, and USGS maintain and use separate\nremote access systems, even 3 years after the January 31, 2007 deadline for\n20\n  DOI telework policy has not been updated since Personnel Bulletin No. 05-02 first established one on\nFebruary 18, 2005.\n\n                                                                                                         33\n\x0ctransitioning to the Department\xe2\x80\x99s remote access system. FWS was found to have\nimplemented a new remote access solution this year.\n\nTwo-Factor Authentication for Remote Access\nDOI cannot enforce two-factor authentication for remote solutions because not all\npersonnel have been issued Personal Identity Verification (PIV) cards 21 (for more\ninformation, see the Account and Identity management section of this report). The\nDepartment does not enforce two-factor authentication with users who have that\nability.\n\nWe reviewed the Department\xe2\x80\x99s connections to the DOI centralized remote access\nsolution in August 2010 and found percentages of users using two-factor\nauthentication varied among bureaus. The Department did not have insight into\nthe disparate remote access for those bureaus.\n\nDepartment-wide, 22 percent of users logged in, in August 2010, using two-factor\nauthentication for remote access. Bureau compliance ranges from 0 to 100 percent\nin their use of two-factor authentication. The following percentages show bureau\ncompliance with the use of two-factor remote access within the bureaus:\n\n     \xe2\x80\xa2   OHA: 0 percent;\n     \xe2\x80\xa2   FWS: less than 1 percent;\n     \xe2\x80\xa2   MMS: 2 percent;\n     \xe2\x80\xa2   NBC: 2 percent;\n     \xe2\x80\xa2   OS: 3 percent;\n     \xe2\x80\xa2   NPS: 6 percent;\n     \xe2\x80\xa2   BIA: 12 percent;\n     \xe2\x80\xa2   BLM: 35 percent;\n     \xe2\x80\xa2   USGS: 47 percent;\n     \xe2\x80\xa2   OST: 70 percent;\n     \xe2\x80\xa2   OHTA: 77 percent;\n     \xe2\x80\xa2   USBR: 94 percent; and\n     \xe2\x80\xa2   OSM: 100 percent.\n\nConnections to Remote Access\nDuring our interviews at the bureaus, we found that any computer, such as a\npersonal or public library computer can connect to the Department\xe2\x80\x99s remote\naccess solution, despite the DOI IT Security Policy Handbook requirement that\nonly Government computers can access the Department\xe2\x80\x99s remote access solution.\nThis means that the Department can only enforce one of the eight safeguards:\n\xe2\x80\x9cVirtual Private Network (VPN) / Encryption of data in transit.\xe2\x80\x9d The Department\nhas no way to validate that personal computers are configured securely. If the\nDepartment enables host checking, 22 DOI can reasonably ensure that only\n21\n  As of September 30, 2010, 27,326 personnel have yet to be issued PIV cards.\n22\n  Host checking would allow the Department to authorize remote access connections based on criteria such\nas security configurations.\n\n                                                                                                      34\n\x0cauthorized Government computers with the proper security configurations can\nconnect to DOI remotely.\n\n Recommendations\n\n      16. Consolidate remote access solutions to allow efficiency and reduce\n          duplicative services.\n\n      17. Enforce two-factor authentication.\n\n      18. Enable host checking for remote access.\n\n      19. Update the telework policy from Personnel Bulletin No. 05-02.\n\n\nAccount and Identity Management\nPolicy\nFISMA requires Federal agencies to provide information security for its IT assets.\nAccount and identity management directly correlates with the ability to securely\nmanage IT assets. Homeland Security Presidential Directive 12 mandates the use\nof standard identification for employees and contractors by October 27, 2009, so\nas to be compliant with Federal Information Processing Standards 23 and NIST\nSpecial Publication 800-63. 24\n\nDOI Personnel Bulletin 09-06 25 requires compliance with Federal Information\nProcessing Standards 201-1 and Homeland Security Presidential Directive 12.\nThe Chief Information Officer\xe2\x80\x99s December 2009 memorandum, \xe2\x80\x9cDOI Access\nProcedures for Bureau/Office Active Directory and Email Systems,\xe2\x80\x9d recommends\nthat bureaus adhere to new account provisioning procedures and align with DOI\nPersonnel Bulletin 09-06.\n\nThe DOI IT Security Policy Handbook requires that bureaus \xe2\x80\x9cmanage all\ninformation system accounts, including establishing, activating, modifying, and\nreviewing, disabling, and removing accounts\xe2\x80\xa6\xe2\x80\x9d and \xe2\x80\x9censure information system\naccounts are reviewed at least every 3 months.\xe2\x80\x9d\n\nIn a September 27, 2010 management advisory, we expressed concern for simple\nsocial engineering techniques that showed a lack of or failure to follow account\nmanagement procedures. Social engineering results ended in obtaining the\nusername and password for accounts of a Chief Information Security Officer,\nfield office managers, human resources staff, and a domain administrator.\n\n\n23\n   201-1, \xe2\x80\x9cPersonal Identity Verification of Federal Employees and Contractors,\xe2\x80\x9d issued in March 2006.\n24\n   \xe2\x80\x9cElectronic Authentication Guideline,\xe2\x80\x9d issued in April 2006.\n25\n   \xe2\x80\x9cPolicy for the Issuance and Management of DOI Access Cards,\xe2\x80\x9d issued in June 2009.\n\n                                                                                                         35\n\x0cThe DOI Access Program\nOf the three bureaus we reviewed, we found only one bureau following guidance\nfor account provisioning 26 procedures for the DOI Access system as outlined in\nthe Chief Information Officer\xe2\x80\x99s December 2009 memorandum. 27 The procedures,\nhowever, are ambiguous because they \xe2\x80\x9crecommend\xe2\x80\x9d instead of specifically direct\nthe intended procedures. This lack of direction caused confusion, and as a result,\nthe Department is neither compliant with nor fully using the DOI Access system.\n\nAlso, we found that account management procedures were duplicative and\ninconsistently implemented and distributed. A major objective behind the\nprocedures is to create new accounts in the DOI Access System. We found that 9\nmonths after the January 15, 2010 deadline, not all accounts were created within\nthe system.\n\nThe DOI Access System cannot provide a full identity management program. It\ncontains contractor status only for contractors with DOI network access but not all\nDOI contractors require DOI network access. The DOI Access system does not\nmanage access to the copious amount of individual DOI applications. Until all\ncontractors and all disparate DOI applications are considered and entered into\nDOI Access, the Department will continue to lack one authoritative source for\nidentity management.\n\nPersonal Identity Verification (PIV) Cards\nImplementing the standard identification mandate from Homeland Security\nPresidential Directive 12 increases IT security because it ensures that people are\nwho they say they are. Standard identification is a significant element to\nconfirming users\xe2\x80\x99 identities because it employs a two-factor authentication, which\ngrants a user access only when they can combine something they have with\ninformation that they know (e.g., a Personal Identity Verification card and a\npassword or personal identification number).\n\nThe Department reported a December 31, 2010 completion date to the Office of\nManagement and Budget for integration of PIV credentials with logical and\nphysical access systems. We found, however, that the Department has not yet\nactivated PIV cards to 15,682 employees (24 percent) and 11,637 contractors (78\npercent) as of September 30, 2010.\n\nThe Department considers the following bureaus at risk. A bureau\xe2\x80\x99s risk is\nattributed to PIV card issuance and in some instances, includes employees,\ncontactors, or both:\n\n    \xe2\x80\xa2    BIA, which is at 59 percent issuance for employees and 2 percent for\n         contractors;\n\n26\n   We found OSM at 100 percent compliance, BLM with limited implementation, and NPS testing the\nprocedures at one office.\n27\n   \xe2\x80\x9cDOI Access Procedures for Bureau/Office Active Directory and Email Systems.\xe2\x80\x9d\n\n                                                                                                  36\n\x0c       \xe2\x80\xa2       BIE, which is at 40 percent issuance for employees and 2 percent for\n               contractors;\n       \xe2\x80\xa2       BLM, which is at 73 percent issuance for employees and 2 percent\n               issuance for contractors;\n       \xe2\x80\xa2       NPS, which is at 68 percent issuance for employees and 6 percent for\n               contractors;\n       \xe2\x80\xa2       FWS, which is at 78 percent issuance for employees and 9 percent for\n               contractors;\n       \xe2\x80\xa2       USBR, which is at 60 percent issuance for contractors;\n       \xe2\x80\xa2       BOEMRE, which is at 52 percent issuance for contractors;\n       \xe2\x80\xa2       OS, which is at 54 percent issuance for contractors; and\n       \xe2\x80\xa2       SOL, which is at 24 percent issuance for contractors.\n\n                                            DOI ACCESS DASHBOARD FOR EXISTING EMPLOYEES\n                                                              Phase II Status as of September 30, 2010\n                           NACI Processing                             STEP 1:                    STEP 2:                        STEP 3: ACTIVATION\n                                                               SPONSORSHIP                 ENROLLMENT                100 percent revised goal by 12/31/09 (Monthly\n                                                            (Monthly Cumulative)        (Monthly Cumulative)                           Cumulative)\n  Bureau                                                                                                                                                         Actual\n                                                                                                                                                 Revised\n                                                Percent                      Percent                    Percent      Revised                                    Percent\n                FPPS PP23       Actual                        Actual                      Actual                                    Actual       Percent\n                                              Complete*                    Complete*                  Complete*      Goal**                                   Complete***\n                                                                                                                                               Complete***\n                                                                                                                                                                   *\nBIA               5,047         4,540            90%           5,335         106%         4,039             80%       2,537         2,976         117%           59%\nBIE               4,130         3,707            90%           4,362         106%         2,170             53%       2,075         1,668          66%           40%\nBLM               10,874       10,874            100%         10,969         101%         9,973             92%       5,971         7,938         133%           73%\nUSBR              4,961         4,961            100%          5,683         115%         5,471         110%          4,274         5,045         118%           102%\nFWS               9,309         9,054            97%           9,316         100%         8,402             90%       4,936         7,254         147%           78%\nBOEMRE            1,645         1,668            101%          1,828         111%         1,796         109%          1,447         1,751         121%           106%\nNBC                1,245       1,229             99%          1,220              98%       1,201            96%        1,090        1,140         105%           92%\nNPS-              16,697       16,697            100%         16,455             99%      14,245            85%       13,037       11,305          87%           68%\nOHTA                27           27              100%           27           100%           27          100%            27            27          100%           100%\nOS                 978           978             100%          1,300         133%         1,281         131%           879          1,208         137%           124%\nOSM                529           528             100%           585          111%          582          110%           460           548          119%           104%\nOST                644           644             100%           675          105%          667          104%           518           649          125%           101%\nSOL                415           415             100%           452          109%          446          107%           414           416          100%           100%\nUSGS              8,839         8,839            100%          9,844         111%         9,088         103%          6,896         7,870         114%           89%\n       Total     65,340        64,161            98%          68,051         104%        59,388             91%      44,561        49,795         112%           76%\n\n\n Percent                                   * Percent Complete = Actual (ASR dated 10-04-10) / FPPS PP23 2008 Data\n\n complete                                 ** Revised Goal = FPPS PP23 excluding employees outside of reasonable travel time from open Credentialing Centers\n90% or more On schedule                  *** Percent Complete = Actual / Revised Goal\n 80% - 89%     Behind                  **** Percent Complete = Actual /FPPS PP23 2008 Data\n 0% - 79%      At Risk\n\n\n\n\nFigure 8. Percentages exceeding 100 percent are caused by a fluctuating baseline.\n\n\n\n\n                                                                                                                                                                       37\n\x0c                          DOI ACCESS DASHBOARD FOR CONTRACTORS/AFFILIATES\n                                                Phase II Status as of September 30, 2010\n                          NACI Processing               STEP 1: SPONSORSHIP           STEP 2: ENROLLMENT      STEP 3: ACTIVATION\n                                                         (Monthly Cumulative)          (Monthly Cumulative)   (Monthly Cumulative)\n\n  Bureau\n               OMB QTR                       Percent                   Percent                     Percent                Percent\n                              Actual                      Actual                       Actual                  Actual\n                REPORT                      Complete*                Complete*                    Complete*              Complete*\n\nBIA/BIE           2,850        2,500          88%          196           7%              122          4%         67          2%\nBLM               3,750        1,000          27%          134           4%              114          3%         57          2%\nBOR                646          640           99%          854          132%             630         98%        385         60%\nFWS                745          139           19%           96           13%             82          11%         67          9%\nBOEMRE             380          370           97%          295           78%             245         64%        197         52%\nNBC                626          527           84%          686          110%             633         101%       513         82%\nNPS               3,750         195            5%          316           8%              269          7%        241          6%\nOHTA               408          408           100%         408          100%             382         94%        360         88%\nOS                 354          354           100%         284           80%             273         77%        191         54%\nOSM                 35          35            100%          43          123%             40          114%        34         97%\nOST                150          150           100%         163          109%             155         103%       152         101%\nSOL                 38          22            58%           29           76%             29          76%         9          24%\nUSGS              1,187        1,187          100%        1,598         135%            1,334        112%      1,054        89%\n      Total      14,919       7,527           50%         5,102          34%            4,308        29%       3,327        22%\n\n\n Percent                               * Percent Complete = Actual / OMB QTR REPORT\ncomplete\n90% or more On schedule\n 80% - 89% Behind\n 0% - 79%     At Risk\n\n\n\n\nFigure 9. Percentages exceeding 100 percent are caused by a fluctuating baseline.\n\nThe Department has issued PIV cards to 53,122 employees and contractors, but\ncard use is not enforced. This impacts Departmental privacy, data security,\nauthentication, and overall security posture and causes the Department to fall\nshort of compliance with Homeland Security Presidential Directive 12. Full PIV\ncard compliance would mitigate many of the account management issues\naddressed in the DOI Access Program section.\n\nOther Fieldwork\nActive Directory\nWe conducted an evaluation of Active Directory in February 2010 to assess the\nefficiency and effectiveness of its information security controls. Active Directory\nis a Microsoft technology that provides network services that enable applications\nto use, find, and manage directory resources such as printers, permissions, and\nusers. It unifies management of IT resources such as security, passwords, users\nand groups.\n\nWe found no standardization for naming conventions, how group policies are\nstructured, creating accounts, or monitoring accounts. In some cases, we even\nfound that a lack of standardization for account management existed within the\nsame bureau.\n\nCapabilities to secure user accounts exist in Active Directory. These capabilities\ninclude locking accounts to specific workstations, locking them only to certain\nhours during the day, or setting them to disable after a certain date. We found that\n                                                                                                                                     38\n\x0cthose capabilities were either not consistently implemented or not used at all. We\nalso found training account usernames and passwords on sticky notes posted to\nworkstations, which allows anyone with access to these workstations to log into\nthe account from anywhere in the bureau.\n\nFISMA Fieldwork\nWe identified inconsistent and poor account management practices during our\nFISMA review of three bureaus. We found that:\n\n   \xe2\x80\xa2   One NPS helpdesk did not follow procedures for changing passwords;\n   \xe2\x80\xa2   Four BLM State helpdesks did not follow procedures for changing\n       passwords, which resulted in four successful social engineering exploits;\n   \xe2\x80\xa2   Answers to the BLM National Helpdesk\xe2\x80\x99s challenge questions were found\n       on the Internet. These weak questions led to a successful social\n       engineering exploit; and\n   \xe2\x80\xa2   The OSM helpdesk did not have adequate procedures to validate users\n       calling in for password changes. We obtained a password for the Chief\n       Information Security Officer.\n\n Recommendations\n\n    20. Ensure account management procedures adhere to policies.\n\n    21. Ensure identity verification security questions are unique and answers\n        cannot be easily obtained.\n\n    22. Issue PIV cards to all employees and contractors.\n\n    23. Enforce the use of PIV cards for all employees and contractors.\n\n\nContinuous Monitoring\nPolicy\nA continuous monitoring program encompasses all automated and manual\nprocesses implemented in the environment to maintain awareness regarding the\norganization\xe2\x80\x99s security posture. According to NIST, \xe2\x80\x9cthe objective of a\ncontinuous monitoring program is to determine if the complete set of planned,\nrequired, and deployed security controls within an information system or inherited\nby the system continue to be effective over time in light of the inevitable changes\nthat occur.\xe2\x80\x9d Neither DOI nor its bureaus have an established continuous\nmonitoring strategy even though it is required by FISMA.\n\n\n\n\n                                                                                 39\n\x0cContinuous monitoring is integral to NIST Special Publication 800-37, 28 Revision\n1, and NIST expects the updated guidance to be fully implemented by February\n2011. The Office of Management and Budget elaborates in M-10-15, 29 stating\nthat agencies \xe2\x80\x9cshould develop an enterprise-wide strategy for selecting a subset of\ntheir security controls to be monitored on an ongoing basis to ensure all controls\nare assessed during the 3-year authorization cycle.\xe2\x80\x9d\n\nContinuous monitoring policies are disparate or lacking at many of the\nDepartment\xe2\x80\x99s bureaus and offices. We found draft policy at five bureaus,\nundeveloped policy at three bureaus, and no policy at five bureaus. Without well-\ndefined policies and coordinated procedures for continuous monitoring, the\nprogram is fragmented.\n\nFragmented Continuous Monitoring\nThe Department and bureaus have Plan of Action and Milestones 30 (POAM) with\nan estimated cost of $120.5 million to mitigate the weaknesses associated with\ncontinuous monitoring.\n\nAccording to NIST, continuous monitoring programs include: configuration\nmanagement, security impact analyses on proposed or actual changes,\nassessments of selected security controls, and active involvement by authorizing\nofficials in the ongoing management of information system security risks.\nAccomplishing the objectives of the program would require an effective\nmechanism to update security plans, security assessment reports, and POAM.\nAlso, assessing the ongoing security posture will demand vulnerability scanning\ntools, network monitoring tools, and other automated support tools that can help\ndetermine the security state of an information system.\n\nThe Department\xe2\x80\x99s Enterprise Infrastructure Division has a multitude of automated\ncapabilities for continuous monitoring, but full implementation has not occurred.\nEnterprise Services Network, a part of the Enterprise Infrastructure Division, has\nthe technical capabilities to provide continuous monitoring services as detailed in\nits \xe2\x80\x9cService Catalogue.\xe2\x80\x9d Bureaus lack consistency as to which services to\nleverage. We found that DOI fails to integrate data feeds that would facilitate the\nmaturation of the continuous monitoring program. The feeds would encourage a\nmore timely and efficient data collection process.\n\nWe found that the Department\xe2\x80\x99s Data Loss Prevention system can identify and\nreport personally identifiable information (PII) incidents but cannot prevent them.\nThe system\xe2\x80\x99s next phase of implementation is to prevent PII incidents but\nresource limitations hinder progress. The Enterprise Services Network at the\n\n28\n   Revision 1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal Information Systems,\xe2\x80\x9d\nFebruary 2010.\n29\n   \xe2\x80\x9cFY2010 Reporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management.\xe2\x80\x9d\n30\n   Continuous Monitoring POAMs: Department CSAM ID numbers 10918 and 13963; 102 Bureau POAMs\nassociated with 74 systems.\n\n                                                                                               40\n\x0cDepartment\xe2\x80\x99s Security Operations Center assesses and manages PII incidents, but\nit does not have sufficient resources to manage them all. Bureaus assist\nDepartmental personnel by managing their own PII incidents.\n\nWe found that only BLM and USGS personnel who manage their bureau\xe2\x80\x99s PII\nincidents are at the Security Operations Center on a fulltime basis. BIA, NPS,\nOSM, and MMS are managing their incidents at the Security Operations Center\non a part-time basis. The remaining bureaus do not assist Security Operations\nCenter personnel with managing PII incidents. More than 200 PII incidents are\nwaiting for remedy within the Department\xe2\x80\x99s Data Loss Prevention solution as of\nSeptember 30, 2010.\n\n                       PII Escalated Incidents by Bureau\n\n\n\n\nFigure 10. This is a snapshot of the Department\xe2\x80\x99s Data Loss Prevention system from June 1\nto September 30, 2010. More than 200 PII incidents are waiting to be remedied.\n\nOur fieldwork at three bureaus also revealed ad hoc continuous monitoring\nprograms. The bureaus would conduct vulnerability scanning, application\npatching, and vulnerability mitigation as time permitted or urgency demanded.\nWe found that endpoint protection applications were not properly configured to\nreport to a central location so that bureaus could assess the identified situation on\ntime.\n\nWe also determined that monitoring software for Active Directory was not\nconfigured to monitor significant events associated with user accounts. Risks\ncannot be assessed and managed if automated systems are not continually\nmonitoring, if data is not analyzed, if trends are not established, and if reports to\nmanagement personnel are not occurring.\n\n\n\n\n                                                                                       41\n\x0cSecurity Status Reports\nTo assess risks, authorizing officials need ongoing results from continuous\nmonitoring, updated security plans, security assessment reports, and POAMs. We\nfound only one example of a complete security status report, prepared for\nEnterprise Services Network, a system in our sample. The reporting, however, did\nnot occur regularly. DOI guidance suggests neither the format nor content for a\nsecurity status report.\n\nUnused Investments\nWe found that many continuous monitoring investments are sitting idle or largely\nunused. A Departmental system called OPNET is capable of mapping the DOI\nnetwork and identifying IT assets. It can help detect changes in the network\ninfrastructure and provide an accurate and dynamic IT asset inventory for\nsuccessful continuous monitoring, but these processes have not been completed\nbecause bureaus have not agreed to network adjustments that would enable the\nprocess.\n\nNot all bureaus have the system configured to report to an application for Active\nDirectory security enhancements, which would assist with monitoring user\naccount management. We also found an asset inventory, auditing, and logging\nsystem that can pull hardware and software reports and provide patch\nmanagement status. This DOI system sits idle because the bureaus have not made\nthe necessary changes to report to the Department.\n\n Recommendations\n\n    24. Create a comprehensive, enterprise-wide strategy for continuous\n        monitoring.\n\n    25. Establish a format and content template for the authorizing official\xe2\x80\x99s\n        security status reports.\n\n    26. Enhance the Department\xe2\x80\x99s continuous monitoring program using\n        existing investments.\n\n    27. Ensure that bureaus are reporting to centralized Departmental\n        continuous monitoring systems.\n\n    28. Establish procedures for using a security assessment report and design\n        a format and content template.\n\n\n\n\n                                                                                 42\n\x0cContingency Planning\nPolicy\nFISMA requires that information system contingency plans be part of DOI\xe2\x80\x99s IT\nsecurity program. The DOI IT Security Policy Handbook clearly states that\nbureaus \xe2\x80\x9cdevelop and implement contingency plans for all information systems.\xe2\x80\x9d\nDOI policy also requires annual plan testing and personnel training regarding\ntheir roles and responsibilities in executing the plan.\n\nPlans should be documented in accordance with NIST Special Publication 800-\n34 31, which addresses contingency planning more extensively than any of the\navailable DOI guidance. According to NIST, guidance must be fully implemented\nby May 2011.\n\nDOI guidance does not provide DOI system users with adequate information to\nestablish a suite of plans related to the contingency or enough information to\nunderstand how their system plan fits into a larger, emergency-preparedness\nprogram. 32 DOI guidance needs to be improved significantly to assure system\ncontingency plans comply with NIST.\n\nContingency plans and testing\nWe found that contingency plans generally are poorly documented, not based on\nrealistic consideration of threats, and have not been annually updated and tested.\nThe plans in our sample described the planning process, rather than realistic\nthreats and proposed measures to reduce their impact.\n\nInformation system contingency plan tests are intended to evaluate the viability of\na plan, and identify deficiencies and lessons learned. Although FISMA requires\nannual, documented tests, we found that many testing scenarios were simplistic\nand provided limited documentation and conclusions to justify the worth of plan\ntesting.\n\nThe backup failure associated with the Office of the Chief Information Officer\xe2\x80\x99s\nown CSAM solution was a major setback that exemplifies the importance of\ncontingency plan testing. System backup and recovery procedures are part of\ncontingency planning; they are to be tested annually in accordance with DOI\npolicy. In the case of the CSAM failure, not all bureaus retained duplicate\ndocumentation that could be used for restoration. Had CSAM\xe2\x80\x99s contingency plan\nbeen tested, it is likely the backup \xe2\x80\x9cglitch\xe2\x80\x9d would have been detected earlier and\npotentially mitigated its impact.\n\nWe found many areas where plans in our sample fell short. Eight plans have not\nbeen updated within the last year, as required. One contingency plan had not been\n\n31\n   Revision 1 of NIST Special Publication 800-34, titled \xe2\x80\x9cContingency Planning Guide for Federal Systems,\xe2\x80\x9d\nwas released in May 2010.\n32\n   \xe2\x80\x9cCertification and Accreditation (C&A) Guide Using the Cyber Security Assessment and Management\n(CSAM) Solution Version 2.0.\xe2\x80\x9d\n\n                                                                                                       43\n\x0cupdated since 2006. We also identified eight systems that did not conduct timely\ncontingency plan tests and three that failed to provide any artifacts to document\nthe test.\n\nWe also found that contingency plans for systems with high security\ncategorization also were not tested or updated on time. Specifically, we noted that\nsix of the 10 DOI systems were not tested annually, and seven of the 10 plans\nwere not updated annually as is required for all information system contingency\nplans.\n\nLarge, complex systems have not established a contingency plan or even a\nstrategy to consolidate a plan for General Support Systems. Bureaus with large,\ncomplex systems have not documented their process for combining the\ncomponent plans into a consolidated plan for the entire system. We determined\nsome of the component plans have not been updated since 2004. Outdated\ncontingency plans for the component parts are not useful when considering\ncontingency planning for the whole system.\n\nWe found that bureaus\xe2\x80\x99 various interpretations of the contingency planning\nprocess have resulted in inconsistent implementation. According to NIST Special\nPublication 800-34, \xe2\x80\x9cuniversally accepted definitions for information system\ncontingency planning and the related planning areas have not been available.\nOccasionally, this leads to confusion regarding the actual scope and purpose of\nvarious types of plans.\xe2\x80\x9d DOI guidance does not address key contingency planning\nareas, including business impact analysis, business continuity plans, and disaster\nrecovery plans.\n\nLack of Integration\nDuring our fieldwork, we asked how the bureaus incorporate their information\nsystem contingency plans into their overall risk-management, security, and\nemergency-preparedness programs. We found that the system contingency plans\nwere not considered as part of the bureaus\xe2\x80\x99 or location\xe2\x80\x99s emergency-preparedness\nprograms. We found one system contingency plan in our sample had been\nincorporated into a combined contingency plan for all IT operations at that\nlocation. The individual information system contingency plans had been\nconsidered in aggregate to establish a larger, integrated plan. DOI is unfamiliar\nwith the concept that a suite of plans would be necessary in the event of a\ndisruption. The response, continuity, recovery, and resumption of mission and\nbusiness functions and information systems are situational, but bureaus have no\ncomprehensive planning guidance to follow.\n\n Recommendation\n\n    29. Update contingency planning guidance to correspond with NIST Special\n        Publication 800-34, Revision 1, before May 2011.\n\n\n                                                                                  44\n\x0cOversight of Contractor Systems\nPolicy\nOverall, Departmental policy regarding contractor oversight is lacking, even\nthough FISMA\xe2\x80\x99s requirements for information security also apply to contractor\nsystems, 33 and responsibility and accountability reside with DOI.\n\nFISMA requirements and contractor oversight are addressed in multiple sources\nof Federal guidance. Interdependencies exist between the various sources of\nguidance, and coordinated oversight practices are required to ensure effectiveness.\nFederal Acquisition Regulations (FAR) emphasize the IT security requirements\nthat are included in acquisition documents. The security requirements are much\nmore extensive than just the clauses included in the acquisition documents.\nFISMA requires that contractors comply with the contracting agency\xe2\x80\x99s IT security\npolicies for their program. NIST and OMB provide guidance for implementing\nFISMA, which often includes requirements for contractors. All four sources\n(FAR, agency policies, NIST, and OMB) require oversight of contractors.\nFocusing on any one of the four sources of guidance narrows contractor oversight\nrequirements and does not address the comprehensiveness of the IT security\nrequirements.\n\nThe DOI IT Security Policy Handbook does not address contractor oversight\nresponsibilities beyond the capital planning process. It only includes language to\nbe included with Exhibit 300, the business case submission to the OMB for IT\ncapital projects. Also, Departmental policy neither addresses ongoing oversight\nresponsibilities and how the efforts should be documented nor does it provide\nclear guidance for identifying contractor systems in inventory (for more\ninformation, see the IT Inventory section of this report).\n\nPolicy Weaknesses\nAn April 2005 U.S. Government Accountability Office report identified oversight\nweaknesses of contractors who provide IT systems and services. 34 Also,\nindependent auditors conducting the FY 2010 DOI Financial System Audit\nidentified contractor monitoring concerns in a Notice of Finding and\nRecommendation (NFR DOI-2010-0007). Specifically, they found that \xe2\x80\x9cDOI does\nnot have a centralized system to accurately track the entire population of\ncontractors with access to Interior\xe2\x80\x99s IT systems.\xe2\x80\x9d\n\n\n\n\n33\n   FISMA \xc2\xa7 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including \xe2\x80\x9cinformation\nsystems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency.\xe2\x80\x9d Section 3544(b) requires that each agency provide information security for the information and\n\xe2\x80\x9cinformation systems that support the operations and assets of the agency, including those provided or\nmanaged by another agency, contractor, or other source.\xe2\x80\x9d\n34\n   Report No. GAO-05-362, titled \xe2\x80\x9cInformation Security: Improving Oversight of Access to Federal Systems\nand Data by Contractors can Reduce Risk.\xe2\x80\x9d\n\n                                                                                                        45\n\x0cImpact\nFull identification of contractors and contractor systems is fundamental to\ncontractor oversight responsibilities. DOI Access is issuing PIV cards to 14,947\ncontractors and, to date, has issued them to only 23 percent of the contractors (see\nthe Identity and Account Management section of this report). The DOI IT system\ninventory identifies 23 accredited contractor systems. During our review of the\nsample of systems, however, we found three components with contractor-\nprovided IT services or equipment not clearly identified in DOI IT inventory.\nAssuring the implementation of oversight procedures is impossible if components\nare not clearly identified in inventory, just as it is impossible to assure contractor\ncompliance with various FISMA requirements if DOI cannot accurately identify\nthem.\n\nVague guidance statements regarding applicability to contractors are found\nthroughout Department policies. The procedures for contractor oversight are not\ndetailed nor are the documentation requirements defined. We found no clear\nevidence that the contractor oversight processes have been implemented, but we\ndid see references to contractor operations comingled with agency assessments.\nRoles and responsibilities for the IT security program elements are not clearly\ndelineated between DOI and contractors.\n\nBureaus that are required to perform contractor oversight have not established or\nfollowed a systematic process, and DOI does not have specific policies for\noverseeing contractor security practices. The ramifications of not performing\ncontractor oversight significantly impacts identification risk and compliance with\nFISMA, NIST, Office of Management and Budget, and FAR.\n\nThe Department cannot have assurance of its security posture for multiple IT\nsecurity program areas without contractor oversight of the following:\n\n   \xe2\x80\xa2   Annual assessment of controls at contractor locations;\n   \xe2\x80\xa2   Completed IT inventory;\n   \xe2\x80\xa2   Security training (role-based security and FISSA training);\n   \xe2\x80\xa2   Personnel security (background investigations);\n   \xe2\x80\xa2   Physical security (security of data, facility, systems);\n   \xe2\x80\xa2   Privileged access to Federal data and systems;\n   \xe2\x80\xa2   Oversight of sub-contractors at a contract facility;\n   \xe2\x80\xa2   Information controls (privacy) over shared environments;\n   \xe2\x80\xa2   Interconnection security agreements and memorandum of understanding;\n   \xe2\x80\xa2   The DOI Access process for contractors;\n   \xe2\x80\xa2   FDCC compliance;\n   \xe2\x80\xa2   Encryption when transporting data;\n   \xe2\x80\xa2   Ongoing risk assessments;\n   \xe2\x80\xa2   Completions of e-risk authentications; and\n   \xe2\x80\xa2   Contractors\xe2\x80\x99 system maintenance (e.g., patching, virus protection,\n       scanning, etc.).\n                                                                                   46\n\x0cContracting Practices \xe2\x80\x94 Hardware and Software Purchases\nIT acquisitions are not centrally managed within DOI or bureaus. During\nfieldwork, we determined that hardware and software purchase generally occur in\nthree ways: under the DOI blanket purchase agreements, General Services\nAdministration schedule (IT Schedule 70), or direct purchase at various bureau\nlevels. We were unable to validate that FAR, parts 39 and 39 D 35, were\nconsistently included on contracts managed at the bureau level. During fieldwork,\nwe were told that personnel with direct purchase authority routinely purchase\nhardware. Such purchases make maintaining an accurate IT Inventory difficult\nand DOI is not assured they are obtaining secure configurations. We found that\ncopies of contracts for workstation acquisitions did not include FDCC\nrequirements.\n\nWe determined that IT security requirements were not consistently included in IT\nservice contracts. We found some security requirements added to some service\ncontracts, but the content varied significantly between bureaus. Furthermore, we\ndetermined that the oversight requirements were not specifically referenced or\nstated.\n\nWe also found that bureaus purchase software outside of the Department\xe2\x80\x99s\nenterprise license agreements or blanket purchase agreements, so discounted rates\nare not applied. From 1999 to 2009, bureaus purchased 7 percent of their Adobe\nproducts outside of Department contracts. Symantec, an end-point security\nprovider in DOI, stated that \xe2\x80\x9cthe current enterprise agreement is only about 50\npercent\xe2\x80\x9d of what the bureaus spend with Symantec annually. Such purchases\nincrease the overall costs associated with software purchases. Without the ability\nto control software acquisitions, the Department cannot ensure efficient spending\nand standardized software.\n\n Recommendations\n\n      30. Define, document, and establish procedures for contactor oversight in\n          accordance with FISMA requirements.\n\n      31. Coordinate between IT security and the associated procurement\n          contracting office.\n\n\n\n\n35\n   Part 39 of the Federal Acquisition Regulation (FAR) requires agencies to include appropriate information\ntechnology security policies and requirements when acquiring information technology, and Part 39d\nincorporates requirements for using common security configurations.\n\n                                                                                                         47\n\x0cConclusion and Recommendations\nConclusion\nPoor information in management information systems and inconsistent\nimplementation continues to impact the DOI IT security program. Bureaus will\nremain unaccountable for their IT security shortcomings and inconsistencies will\npersist until they are required to follow DOI policy and guidance. Fundamental\nprogram components must improve or they will continue to struggle to satisfy\nFISMA requirements.\n\nRecommendation Summary\nTo address the deficiencies identified in this report, we recommend that DOI:\n\n   1. Standardize the use of terms within CSAM.\n\n   2. Establish clear guidance for managing IT assets system inventory,\n      including: the identification and documentation of minor applications, the\n      identification (description, hosted, or operated) and documentation of\n      contractor components, a process for adding systems in development to\n      inventory, a process for adding test systems into inventory, and a process\n      for mapping all components to authorization boundaries.\n\n   3. Establish clear guidance for managing hardware and software asset\n      inventory.\n\n   4. Update DOI\xe2\x80\x99s security authorization policy and guidance to incorporate\n      the latest NIST guidance (NIST 800-37, Revision 1, and NIST 800-53,\n      Revision 3).\n\n   5. Merge the multiple DOI security authorization procedural documents into\n      a single document. The guidance should clarify when the authorization\n      process begins in the life cycle, the role of the senior risk executive, and\n      clarify how information system boundaries are to be documented.\n\n   6. Implement least privilege principal and control use of elevated user rights.\n\n   7. Standardize Web browsers and firewalls on workstations Interior-wide.\n\n   8. Document and approve all deviations from FDCC compliance.\n\n   9. Implement network access controls.\n\n   10. Implement incident response policies and procedures consistently\n       throughout bureaus and offices.\n\n\n                                                                                48\n\x0c11. Require bureaus and offices to use the Department\xe2\x80\x99s DOI CIRC database\n    for incident response and reporting versus their own implementation.\n\n12. Evaluate the current Rules of Behavior submission process to ensure it\n    satisfies electronic signature requirements.\n\n13. Implement a solution that assists in establishing accurate employee and\n    contractor baseline counts, such as a central authoritative identity\n    management system.\n\n14. Review the qualifications of personnel performing IT security duties in the\n    Department and reassign those duties accordingly.\n\n15. Ensure that the Department and bureaus are accountable for accurate data\n    in CSAM to manage Plan of Action and Milestones weaknesses.\n\n16. Consolidate remote access solutions to allow efficiency and reduce\n    duplicative services.\n\n17. Enforce two-factor authentication.\n\n18. Enable host checking for remote access.\n\n19. Update the telework policy from Personnel Bulletin No. 05-02.\n\n20. Ensure account management procedures adhere to policies.\n\n21. Ensure identity verification security questions are unique and answers\n    cannot be easily obtained.\n\n22. Issue PIV cards to all employees and contractors.\n\n23. Enforce the use of PIV cards for all employees and contractors.\n\n24. Create a comprehensive, enterprise-wide strategy for continuous\n    monitoring.\n\n25. Establish a format and content template for the authorizing official\xe2\x80\x99s\n    security status reports.\n\n26. Enhance the Department\xe2\x80\x99s continuous monitoring program using existing\n    investments.\n\n27. Ensure that bureaus are reporting to centralized Departmental continuous\n    monitoring systems.\n\n\n\n                                                                              49\n\x0c28. Establish procedures for using a security assessment report and design a\n    format and content template.\n\n29. Update contingency planning guidance to correspond with NIST Special\n    Publication 800-34, Revision 1, before May 2011.\n\n30. Define, document, and establish procedures for contactor oversight in\n    accordance with FISMA requirements.\n\n31. Coordinate between IT security and the associated contract procurement\n    office.\n\n\n\n\n                                                                               50\n\x0cAppendix 1: Scope and Methodology\nScope\nWe conducted technical configuration testing at all bureaus, except the Office of\nHearings and Appeals, and comprehensive IT security program fieldwork to\ninclude interviews, observations, and source documents at three bureaus:\n\n   \xe2\x80\xa2    The National Park Service\n           o National Information Technology Center (NITC) and Washington\n              Support Office, Washington, DC, August 30 to September 2, 2010;\n           o National Information Service Center, Lakewood, CO, September\n              15, 2010; and\n           o Rocky Mountain National Park, Estes Park, CO, September 20 and\n              21, 2010.\n   \xe2\x80\xa2    The Office of Surface and Mining\n           o Office of the Chief Information Officer, Washington, DC, August\n              4 to August 6, 2010.\n   \xe2\x80\xa2    The Bureau of Land Management\n           o Information Resource Management, IT Security Division (WO-\n              590), Washington, DC, July 26 to July 28, 2010.\n\nWe selected a sample of 21 systems, which represent accreditation boundaries,\ncomponents of a larger boundary, or systems identified in the DOI environment.\n\n              FISMA Sample of Systems for Fiscal Year 2010\n\n Sample                                                                    Security\n                        System Name                     Acronym\n   No.                                                                  Categorization\n            Native American Student Information\n    1                                                     NASIS            moderate\n            System\n    2       Land Records Information System                LRIS            moderate\n    3       BLM GSS                                      BLM GSS           moderate\n    4       LAWNET                                      LAWNET             moderate\n    5       NIFCeNET GSS                                NIFCeNET           moderate\n            National Conservation Training Center\n    6                                                     NCTC             moderate\n            Local Area Network NCTC LAN\n    7       Talent Management System                       TMS             moderate\n    8       AMAG Physical Acess Control System            AMAG             moderate\n            NPS-GSS (Yosemite Wilderness Permit\n    9                                                 OneGSS (Permit)      moderate\n            System)\n            NPS-GSS (Concessions Management              OneGSS\n   10                                                                      moderate\n            System)                                    (Concession)\n   11       Technical Information Management System       TIMS             moderate\n            OHTA Clifton Gunderson Indian Trust\n   12                                                 OHTA-CGITIS            high\n            Information System\n   13       DOI Enterprise Services Network                ESN             moderate\n            Incident Management Analysis and\n   14                                                     IMARS         not categorized\n            Reporting System\n   15       Project Portfolio System                       PPM          not categorized\n\n\n                                                                                          51\n\x0c   16       Radio Systems (BLM, NPS, USGS)               Radio      not categorized\n   17       OSM Enterprise GSS                         OSM-GSS        moderate\n   18       OST LAN/WAN                                 OSTNet        moderate\n   19       SOL-NET                                    SOL-NET        moderate\n   20       Science and Support System - Moderate   S&SS-Moderate     moderate\n   21       Science and Support System - Low          S&SS - Low          low\n\n\n\nWithin this sample, we looked beyond authorization packages to assess DOI\xe2\x80\x99s\nprocess for managing all IT system inventory. The authorization packages in our\nsample included most bureaus, all security categorizations (i.e., high, moderate,\nand low), and all types of systems (e.g., general support systems, major\napplication, minor applications, and undetermined), operational status (i.e.,\ndevelopment and operational), and agency and contractor systems.\n\nWe based our analysis on data calls issued to the Department and bureaus during\nfiscal year 2010. We completed additional analysis using information obtained\nfrom two Departmental systems: DOI Enterprise Architecture Repository (DEAR)\nand Cyber Security Assessment Management (CSAM) solution. We reviewed\napplicable laws, regulations, Office of Management and Budget guidance,\nNational Institute of Standards and Technology standards, Government\nAccountability Office reports, and Department and bureau policies. All applicable\nstandards and guidance were used as baselines for assessing the DOI IT security\nprogram.\n\nMethodology\nFISMA requires agencies to have an annual independent evaluation of their\ninformation security program and practices and for agencies to report results of\nthe evaluation to the Office of Management and Budget.\n\nWe conducted our FY 2010 FISMA evaluation to obtain information required for\nOffice of Management and Budget reporting. This report consolidates our\nfindings related to the Department of the Interior\xe2\x80\x99s IT Security Program and their\ncompliance with key FISMA areas.\n\nWe conducted our evaluation in accordance with the \xe2\x80\x9cQuality Standards for\nInspections\xe2\x80\x9d as put forth by the Council of Inspector General on Integrity and\nEfficiency. Accordingly, we included such tests and other procedures that we\nconsidered necessary under the circumstances. The conclusions in this report are\nbased on our fieldwork, technical testing, data calls, and analysis of data in\nDepartmental systems.\n\n\n\n\n                                                                                      52\n\x0cAppendix 2: Summary of FISMA\nResults (FY 2003 to 2010)\nDOI spent an estimated $719.6 million on IT security since fiscal year (FY) 2003,\nbut FISMA noncompliance persists. Continued funding to DOI\xe2\x80\x99s IT Security\nProgram as it is structured is inconsistent with OMB\xe2\x80\x99s intent according to a\nDecember 21, 2004 advisory (A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal\nControl\xe2\x80\x9d), which states \xe2\x80\x9cmanagement accountability is the expectation that\nmanagers are responsible for the quality and timeliness of program performance,\nincreasing productivity, controlling costs and mitigating adverse aspects of\nagency operations, and assuring that programs are managed with integrity and in\ncompliance with applicable law.\xe2\x80\x9d\n\nThe following is a summary of conclusions from DOI FISMA evaluation reports\nand the associated IT funding by fiscal year, beginning with 2003.\n\nFY 2003\n      IT Budget: $791.2 36 million, or 5.7 percent of the DOI\xe2\x80\x99s overall budget\n      ($13,881 million). 37\n      FISMA report conclusion: \xe2\x80\x9cWe found that the Department continues to\n      make significant progress to improve the security over its information\n      systems. However, its overall security program does not yet adequately\n      protect all information systems supporting the operations and assets of the\n      Department and therefore remains a material weakness.\xe2\x80\x9d\n\nFY 2004\n      IT Budget: $816.5 million, or 5.7 percent of the DOI\xe2\x80\x99s overall budget\n      ($14,325 million).\n      FISMA report conclusion: \xe2\x80\x9cWe found that the Department continues to\n      improve the security over its information systems. However, despite sound\n      guidance from the Office of the Chief Information Officer, we continue to\n      identify weaknesses in bureau and office implementation of IT security\n      requirements.\xe2\x80\x9d\n\nFY 2005\n      IT Budget: $802.8 million, or 5.7 percent of the DOI\xe2\x80\x99s overall budget\n      ($15,839 million).\n      FISMA report conclusion: \xe2\x80\x9cWe have determined that there are\n      significant weaknesses in DOI\xe2\x80\x99s compliance with FISMA, as well as its IT\n      security program as a whole. Our audits, evaluations, and technical testing\n      of DOI\xe2\x80\x99s systems and IT security program show that bureaus and offices\n\n\n36\n     IT Budget was estimated for FY 2003, FY 2004 and FY 2005 using the average of the FY 2006-2009 IT percentages.\n37\n     The total DOI Budget for each fiscal year can be found at http://www.doi.gov/budget.\n\n                                                                                                                  53\n\x0c             are not implementing DOI policies and are not complying with OMB\n             requirements for Certification and Accreditation.\xe2\x80\x9d\n\nFY 2006\n      IT Budget: $934.0 million, 38 or roughly 5.8 percent of DOI\xe2\x80\x99s overall\n      budget ($16,122 million).\n      FISMA report conclusion: \xe2\x80\x9cOur testing and evaluation of DOI\xe2\x80\x99s IT\n      Security program for Fiscal Year 2006 indicates that DOI has made good\n      progress in the following areas: System Inventory, POA&Ms, Computer\n      Security Incident Response, and Contractor Oversight. Still more work is\n      needed to improve DOI\xe2\x80\x99s Certification & Accreditation program and the\n      use of standard security configurations for servers, workstations,\n      databases, and network equipment throughout DOI. Weaknesses in these\n      two critical areas impact a broad set of federal requirements requiring the\n      use of effective management, operational and technical controls.\xe2\x80\x9d\n\nFY 2007\n      IT Budget: $957.6 million, or roughly 6.1 percent of DOI\xe2\x80\x99s overall\n      budget ($15,799 million).\n      FISMA report conclusion: \xe2\x80\x9cDOI made good progress in a number of key\n      FISMA areas; however, our evaluation determined the DOI information\n      security program has not been consistently implemented throughout the\n      Department and the resulting weaknesses hinder achievement of full\n      compliance with FISMA.\xe2\x80\x9d\n\nFY 2008\n      IT Budget: $952.7 million, or roughly 5.4 percent of DOI\xe2\x80\x99s overall\n      budget ($17,475 million).\n      FISMA report conclusion: \xe2\x80\x9cAs in the past several years, the Department\n      has made progress in documenting information security; however,\n      implementation lags. There remain fundamental flaws in compliance with\n      the FISMA. Lack of compliance is due in large part to the decentralized\n      nature of the Department, IT program and lack of authority by the\n      Department\xe2\x80\x99s CIO. These serious organizational flaws potentially negate\n      the many millions of dollars spent on IT security annually. Lack of\n      departmental oversight, coupled with questionably qualified personnel\n      performing information security duties across the Department, contributes\n      inadequate incident detection and response capabilities put the Department\n      at substantial risk.\xe2\x80\x9d\n\nFY 2009\n      IT Budget: $965 million, or roughly 5.6 percent of DOI\xe2\x80\x99s overall budget\n      ($17,183 million).\n      FISMA report conclusion: \xe2\x80\x9cAs in previous years, we found DOI does\n      not fully comply with the FISMA. The decentralized organizational\n38\n     IT Investment Portfolio amounts are from Exhibit 53 for each fiscal year.\n\n                                                                                 54\n\x0c       structure, fragmented governance processes related to the IT program, lack\n       of oversight, bureau resistance to departmental guidance, and use of\n       substantially under-qualified personnel to perform significant information\n       security duties exasperates the challenges in securing the Department\xe2\x80\x99s\n       information and information systems.\xe2\x80\x9d\n\nFY 2010\n      IT Budget: $995.7 million or 8.2 percent of the DOI overall budget\n      ($12,587 million).\n      FISMA report conclusion: Poor information in management information\n      systems and inconsistent implementation continues to impact the DOI IT\n      security program. Bureaus will remain unaccountable for their IT security\n      shortcomings and inconsistencies will persist until they are required to\n      follow DOI policy and guidance. Fundamental program components must\n      improve or they will continue to struggle to satisfy FISMA requirements.\n\nFY 2011\n      IT Budget: $981.8 million (proposed) or 8.05 percent of the DOI overall\n      budget ($12,200 million).\n\n\n\n\n                                                                              55\n\x0cAppendix 3: Related OIG Reports,\nManagement Advisories, and\nEvaluations\nA list of summaries and updates, if applicable, for OIG reports and management\nadvisories related to IT\xe2\x80\x99s Information Security Program and the fiscal year (FY)\n2010 FISMA Evaluation is included below.\n\nFY 2010\n      Management Advisory: \xe2\x80\x9cAccount Management,\xe2\x80\x9d September 27, 2010,\n      documented occurrences of successful social engineering. It identified a\n      lack of user account management procedures resulting in user accounts\n      being compromised and gaining unauthorized network access.\n\n       Report: \xe2\x80\x9cEvaluation of the Active Directory,\xe2\x80\x9d No. ISD-EV-MOA-0006-\n       2010, August 2010, documented a lack of standardization in the Active\n       Directory structure, unused investments, and a lack of separation of duties.\n\n       Report: \xe2\x80\x9cPrivacy Impact Assessment,\xe2\x80\x9d No. ISD-EV-MOA-0005-2010,\n       June 2010, documented inconsistencies in implementing Privacy Impact\n       Assessment requirements. We found processes for Privacy Impact\n       Assessment requirements and Privacy Impact Assessments for IT systems\n       have not been completed to identify privacy risks associated with sensitive\n       information.\n\n       Report: \xe2\x80\x9cInformation Security Evaluation of the National Interagency\n       Fire Center,\xe2\x80\x9d No. ISD-EV-MOA-0003-2010, June 2010, documented the\n       lack of standardization, duplication, and redundancies at DOI bureaus that\n       are co-located. In addition, radio systems were not certified and\n       accredited.\n\n       Management Advisory: \xe2\x80\x9cDeficiencies in System Inventory Technology,\xe2\x80\x9d\n       OIG Case No. PI-PI-10-0045-1, March 2, 2010, documented the lack of\n       accountability for hard drives of former DOI political appointees.\n\nFY 2009\n      Management Advisory: \xe2\x80\x9cWaste and Noncompliance in Departmental\n      Information Systems,\xe2\x80\x9d October 15, 2009, documented that a vulnerability\n      scanning system is underused and managed inconsistently with FISMA\n      requirements.\n      Update: No change identified during FY 2010.\n\n       Evaluation: \xe2\x80\x9cComputer Configuration Evaluation,\xe2\x80\x9d No. ISD-EV-MOA-\n       0003-2009, August 2009, documented broad noncompliance with\n\n                                                                                 56\n\x0c       mandatory Federal standards associated with the Federal Desktop Core\n       Configuration as well as OMB and Departmental policy.\n       Update: We conducted similar testing in FY 2010 and the results are\n       included in this FISMA report.\n\n       Management Advisory: \xe2\x80\x9cWaste in implementation of Data Encryption\n       Solution,\xe2\x80\x9d April 8, 2009, documented $57,000 per month wasted by\n       failing to implement a purchased encryption solution and the additional\n       incurring maintenance costs.\n       Update: The encryption solution has not yet been fully implemented as of\n       FY 2010.\n\nFY 2008\n      Report: \xe2\x80\x9cCompilation of Information Technology Challenges at the\n      DOI,\xe2\x80\x9d May 2008, documented the need to rescind Secretarial Order 3244.\n      Update: No action has been taken.\n\n\n\n\n                                                                              57\n\x0c      Report Fraud, Waste,\n      and Mismanagement\n             Fraud, waste, and mismanagement in\n            government concern everyone: Office\n           of Inspector General staff, Departmental\n            employees, and the general public. We\n               actively solicit allegations of any\n           inefficient and wasteful practices, fraud,\n                and mismanagement related to\n            Departmental or Insular Area programs\n                and operations. You can report\n               allegations to us in several ways.\n\n\n\nBy Mail:            U.S. Department of the Interior\n                    Office of Inspector General\n                    Mail Stop 4428 MIB\n                    1849 C Street, NW\n                    Washington, D.C. 20240\n\n\nBy Phone:           24-Hour Toll Free                   800-424-5081\n                    Washington Metro Area               703-487-5435\n\n\nBy Fax:             703-487-5402\n\n\nBy Internet:        www.doioig.gov\n\x0c'